How do you hide fields/redact data dependent on certain values?

[HarryET]

Hey! I have a quick question about the authorization. Lets say I have:

    [GraphQLDescription("A registered user/account.")]
    public class User
    {
        [GraphQLDescription("The ID of the account/user, for internal & identification use.")]
        public string Id { get; set; }

        // Personal Data
        [GraphQLDescription("The first name of the user, this is public data")]
        public string FirstName { get; set; }
        
        [GraphQLDescription("The last name of the user, will be null if your not authenticated as the user or a staff member.")]
        [Authorize]
        public string? LastName { get; set; }
        
        // Misc
        [GraphQLDescription("Flags that define extra info e.g. Staff, etc.")]
        public int Flags { get; set; }
    }

And I want the LastName to be hidden if the requesting user isn't a staff member or the same user who there requesting. I thought of doing it like this:

            descriptor
                .Field(p => p.LastName)
                .Resolve((context) =>
                {
                    ClaimsPrincipal? user = context.GetUser();
                    if(user == null)
                        return "";
                    return "";
                });

However I can't figure it out. Any help would be appreciated. :)

[tobias-tengler]

What's wrong with the last code snippet you've posted? You should be able to access the role (Staff) of the ClaimsPrincipal as well as get the user Id from the ClaimsPrincipal, assuming you've put both of these on the ClaimsPrincipal, e.g. your token.
Then you could also get the Id of the user that's being requested: context.Parent<User>()?.Id and compare it to the UserId of the callee.

Instead of doing the Validation inside of the resolver, you could also create a policy and handle it there: https://chillicream.com/docs/hotchocolate/security/authorization/#policies
To get the Id of the requested user object, you can inject the IResolverContext into the policy: https://chillicream.com/docs/hotchocolate/security/authorization#iresolvercontext-within-an-authorizationhandler