This release includes huge database migrations made for query optimization, which includes rewriting of object permission tables. **Database backup is highly recommended before upgrade.**
Also there is a long changelog ahead, so please read information about most important changes in [What's changed](https://mwdb.readthedocs.io/en/latest/whats-changed.html#v2-9-0) section before upgrade.
**Major changes:**
- Huge improvements in Web part which includes:
- Beautified login/registration pages (https://github.com/CERT-Polska/mwdb-core/pull/726)
- Usage of Vite and Rollup for building instead of Create React App and Webpack (741). If you have in-house plugins, read the [**What's changed**](https://mwdb.readthedocs.io/en/latest/whats-changed.html#important-change-changes-in-web-plugins-engine) section in documentation.
- Rewrite to TypeScript (https://github.com/CERT-Polska/mwdb-core/issues/807, kudos postrowinski!)
- Closable error messages (https://github.com/CERT-Polska/mwdb-core/pull/763)
- Search should be much much faster because of these changes:
- Counting of all results before applying actual query is optional and disabled by default as it has huge impact on performance (https://github.com/CERT-Polska/mwdb-core/pull/718)
- When user has `access_all_objects` capability, exclusive object permissions are not even considered in query (https://github.com/CERT-Polska/mwdb-core/pull/783). It also means that `access_all_objects` really gives access to all
objects in system (it's not "autosharing" of all added objects as before), so `everything` group is effectively useless and is not created by default.
- Changes in shares representation, so it's more clear who is the actual uploader of the sample. It's better described [here](https://mwdb.readthedocs.io/en/latest/whats-changed.html#important-change-changes-in-sharing-model) (https://github.com/CERT-Polska/mwdb-core/pull/717)
- `certpl/mwdb` Docker image uses gunicorn instead of uwsgi, as uwsgi project was *mostly* abandoned (https://github.com/CERT-Polska/mwdb-core/pull/735)
- v2.9.0 comes with additional small feature that enables you to ask your users for consent to share samples with 3rd party services (https://github.com/CERT-Polska/mwdb-core/pull/801)
- Karton is bumped to v5.1.0 and its producer shows in `services` tab in Karton Dashboard
- Object listing endpoints are accepting `count` parameter, so you can load them in chunks bigger than 10 (https://github.com/CERT-Polska/mwdb-core/pull/755)
**Minor changes and improvements:**
- Dedicated group is created for each OpenID Connect provider (https://github.com/CERT-Polska/mwdb-core/pull/668)
- ssdeep is replaced with pure-Python implementation - ppdeep (https://github.com/CERT-Polska/mwdb-core/pull/692)
- `sharing_objects` capability was renamed to `sharing_with_all` which better describes its real meaning (https://github.com/CERT-Polska/mwdb-core/pull/696)
- Backslashes are better handled in configuration search (https://github.com/CERT-Polska/mwdb-core/pull/690)
- Rich attributes: field can be rendered as search link using special `{{value}}` syntax (https://github.com/CERT-Polska/mwdb-core/pull/628)
- Sample preview downloads sample in obfuscated form (with negated bits) to not trigger EDR/AV solutions (https://github.com/CERT-Polska/mwdb-core/pull/721, thanks middleware99!)
- Added `access_uploader_info` capability to make users able to search for uploaders from the outside of our groups without giving powerful `sharing_with_all` capability (705)
- Rich preview in AttributeAddModal (https://github.com/CERT-Polska/mwdb-core/pull/724)
- Handle 'misc:' as a proper tag (https://github.com/CERT-Polska/mwdb-core/pull/742, thanks jasperla!)
- OAuth logout, so you can easily logout yourself from OAuth provider e.g. to switch accounts (https://github.com/CERT-Polska/mwdb-core/pull/732)
- Configurable upload size (https://github.com/CERT-Polska/mwdb-core/pull/756)
- Critical error in Web shows JS stack information (https://github.com/CERT-Polska/mwdb-core/pull/790)
- Capabilities can be changed also in User/Group view instead of only Access control page (https://github.com/CERT-Polska/mwdb-core/pull/770)
- User is warned in `Relations` tab when number of relations exceeds 1000 (https://github.com/CERT-Polska/mwdb-core/pull/791)
- `use_x_forwarded_for` option in configuration to respect `X-Forwarded-For` header, enabled by default in Docker images (https://github.com/CERT-Polska/mwdb-core/pull/845)
Bugfixes:
- `NetworkError` exceptions in Web are a bit better handled and they shouldn't crash whole application so often (https://github.com/CERT-Polska/mwdb-core/pull/846)
- OpenID Connect: fixed provider registration (https://github.com/CERT-Polska/mwdb-core/commit/4e015b66c522b517df1486227a0152f51216c8ce, thanks v-rzh!)
Special thanks to yankovs for tracking some regressions during development!
And finally thanks to development team that worked on this release: KWMORALE, Repumba, postrowinski, olivergav, nazywam.
Hopefully we'll be publishing stable releases a bit more often so the changelogs won't be that long :smiling_face_with_tear: