cxInnerComponentsHost does not respect visibility restrictions (e.g., user roles) #20449
Description
Description
When using CMS components that contain composition.inner (e.g., ProductAddToCartComponent), the cxInnerComponentsHost directive renders all inner components unconditionally. It does not evaluate any CMS-defined visibility restrictions, such as:
- User role-based visibility
- Logged-in/logged-out state
- Custom restrictions configured in SmartEdit
As a result, components meant to be shown only to a specific group of users (e.g., B2B customers, administrators) are rendered for everyone if present in composition.inner.
This behavior is inconsistent with how Spartacus handles component visibility elsewhere, where visibility restrictions are either enforced server-side or by the CMS component logic.
Expected Behavior
The cxInnerComponentsHost directive should:
- Respect CMS restrictions, such as those based on user roles or login state.
- Or, provide a customizable hook or service that allows developers to control the rendering logic per inner component.
Why It Matters
- In many real-world scenarios, components are conditionally visible based on user context (e.g., My Orders tab only for logged-in users).
- Without a mechanism to intercept or respect those conditions, developers are forced to implement redundant wrapper logic or override default Spartacus behavior.
- It also breaks the security and UX consistency when restricted content is shown to unauthorized users.
Version
Spartacus version: 2211.39
Best regards!