huoxin I'm not sure what the problem is, but an easy first step to troubleshoot would be to replace return $serializer->getActor()->hasPermission('serakoi-flarumstaffbadge.canEditStaffBadge'); with return true or similar, and check if you see the change in the console log in the frontend. You can also dump app.session.user.data in the javascript console and check whether your new user attributes are visible in the payload.
If you see the attribute in the raw payload, make sure everything is spelled and capitalized correctly.
User::hasPermission() only takes a single parameter, so your second attribute canEditTagList probably doesn't contain the value you expect, the $user parameter is just ignored, or possibly throws an exception.
