Hiding the Create Community button 2nd

by Christoph Stoettner
Read in about 2 min · 266 words

Close-Up Photo of a Child Solving a Rubiks Cube

Photo by MART PRODUCTION | Pexels

Some time ago I got the tip from HCL Support, that the Create Community button will recognize the role community-creator only when the gatekeeper option CATALOG_CARD_UPDATED is set to false.

This is working, but I had to complain, that this option activates some code, which loads fonts from a CDN instead of the local Connections deployment.

For some customers external download of code, fonts, or styles is an issue and this was already fixed with CATALOG_CARD_UPDATED=true, so I was very surprised, as users complained again, that the Community catalog page is requesting fonts from CDN.

Finally, HCL offered to add the functionality, that the community create button is only visible when the user has the role Community-creator when CATALOG_CARD_UPDATED is set to true, HCL wrote some more details in the defect article KB0088295 .

So when you want fonts only loaded from on premises resources and have a hidden / shown create community button, then you should switch back to CATALOG_CARD_UPDATED=true, after you installed the CFix.70.2110 or the upcoming CFix.65.2111 .

Why is loading fonts from CDN not a good idea?

A very good summary about this topic was written by Collin M Barret in his article Blocking Web Fonts for Speed and Privacy and there is nothing to add.

It is less a security issue, because there were only view vulnerabilities in the context of external web fonts, but we shouldn’t forget the privacy concerns. Please read the article for more details.


Edited on 04.12.2021
Add a comment
There was an error sending your comment, please try again.
Thank you!
Your comment has been submitted and will be published once it has been approved.

Your email address will not be published. Required fields are marked with *

Suggested Reading
Card image cap

Connections 7 creates the Community Highlights page automatically and sets it as the start page for new communities.

That’s configured in the highway service, which is available for administrative users on https://your_connections_url/connections/config/highway.main.gatekeeper.tiles

Read in about 3 min
Card image cap

A long time ago, I wrote about the new implementation of allowlists in HCL Connections and that the documentation on customization and adding new rules was an absolute miracle for me.

Read in about 5 min
Card image cap

So up to IBM Connections 6.0 everything was allowed until it was not excluded in one of the blocklist files. This files are stored within the Deployment Manager profile/config/cells/<cellname>/LotusConnections-config/extern. Now with Connections 6.0CR1 everything is forbidden, until it is enabled in the allowlist. This concept is rolled out for widgets (homepage and communities) and active content. Active content means HTML content too. So everything you or your users add to Connections (blog-posts, wiki pages) gets filtered during the save procedure. This removes all HTML tags and attributes which are not explicitly allowed!

Read in about 5 min