Huh, I just found this topic and it’s related Github issue, because it strike me that, well, if you don’t have permission required to display page, you shouldn’t have access to it’s name as well, but I have no clue if it has been implemented since. Maybe @rhuk will know something?
Edition:
If this wasn’t implemented, a dirty Twig hack for it would be something like this I think:
{% if grav.user.authorize('site.affiliates') or (not grav.user.authorize('site.affiliates') and not page.header.access[''site.affiliates]) %}
<li class="{{ current_page }}"><a href="{{ page.url }}">{{ page.menu }}</a></li>
{% endif %}
If I haven’t mess this up, it should translate to:
If current user has
site.affiliatespermission, or page does not havesite.affiliatescondition set up, then display link to this page in menu.
Sorry it took so long, but I had to draw it on paper sheet to get a grip 