This release addresses an information disclosure issue in Wagtail's commenting feature. Previously, when notifications for new replies in comment threads were sent, they were sent to all users who had replied or commented anywhere on the site, rather than only in the relevant threads. This meant that a user could listen in to new comment replies on pages they did not have editing access to, as long as they had left a comment or reply somewhere on the site.
Many thanks to Ihor Marhitych for reporting this issue. For further details, please see `the CVE-2022-21683 security advisory <https://github.com/wagtail/wagtail/security/advisories/GHSA-xqxm-2rpm-3889>`_.
This release restores the ability to run Wagtail against installations of SQLite that do not include the ``fts5`` extension for full-text search support. On these installations, the fallback search backend (without support for full-text queries) will be used, and the database table for storing indexed content will not be created.
If SQLite is subsequently upgraded to a version with ``fts5`` support, existing databases will still be missing this table, and full-text search will continue to be unavailable until it is created. To correct this, first make a backup copy of the database (since rolling back the migration could potentially reverse other schema changes), then run:
Additionally, since the database search backend now needs to run a query on initialization to check for the presence of this table, calling ``wagtail.search.backends.get_search_backend`` during application startup may now fail with a "Models aren't loaded yet" error. Code that does this should be updated to only call ``get_search_backend`` at the point when a search query is to be performed.