3 files changed, 69 insertions, 0 deletions

diff --git a/app/blueprints/packages/releases.py b/app/blueprints/packages/releases.py
index a7f161e..6ef19d2 100644
--- a/app/blueprints/packages/releases.py
+++ b/app/blueprints/packages/releases.py
@@ -225,3 +225,20 @@ def bulk_change_release(package):
 		return redirect(package.getDetailsURL())
 
 	return render_template("packages/release_bulk_change.html", package=package, form=form)
+
+
+@bp.route("/packages/<author>/<name>/releases/<id>/delete/", methods=["POST"])
+@login_required
+@is_package_page
+def delete_release(package, id):
+	release = PackageRelease.query.get(id)
+	if release is None or release.package != package:
+		abort(404)
+
+	if not release.checkPerm(current_user, Permission.DELETE_RELEASE):
+		return redirect(release.getEditURL())
+
+	db.session.delete(release)
+	db.session.commit()
+
+	return redirect(package.getDetailsURL())
diff --git a/app/models.py b/app/models.py
index 78bba43..df1e5a1 100644
--- a/app/models.py
+++ b/app/models.py
@@ -78,6 +78,7 @@ class Permission(enum.Enum):
 	CHANGE_AUTHOR      = "CHANGE_AUTHOR"
 	CHANGE_NAME        = "CHANGE_NAME"
 	MAKE_RELEASE       = "MAKE_RELEASE"
+	DELETE_RELEASE     = "DELETE_RELEASE"
 	ADD_SCREENSHOTS    = "ADD_SCREENSHOTS"
 	APPROVE_SCREENSHOT = "APPROVE_SCREENSHOT"
 	APPROVE_RELEASE    = "APPROVE_RELEASE"
@@ -741,6 +742,12 @@ class PackageRelease(db.Model):
 				name=self.package.name,
 				id=self.id)
 
+	def getDeleteURL(self):
+		return url_for("packages.delete_release",
+				author=self.package.author.username,
+				name=self.package.name,
+				id=self.id)
+
 	def getDownloadURL(self):
 		return url_for("packages.download_release",
 				author=self.package.author.username,
@@ -761,6 +768,36 @@ class PackageRelease(db.Model):
 		self.approved = True
 		return True
 
+	def checkPerm(self, user, perm):
+		if not user.is_authenticated:
+			return False
+
+		if type(perm) == str:
+			perm = Permission[perm]
+		elif type(perm) != Permission:
+			raise Exception("Unknown permission given to PackageRelease.checkPerm()")
+
+		isOwner = user == self.package.author
+
+		if perm == Permission.DELETE_RELEASE:
+			if user.rank.atLeast(UserRank.ADMIN):
+				return True
+
+			if not (isOwner or user.rank.atLeast(UserRank.EDITOR)):
+				return False
+
+			if not self.package.approved:
+				return True
+
+			count = PackageRelease.query \
+					.filter_by(package_id=self.package_id) \
+					.filter(PackageRelease.id > self.id) \
+					.count()
+
+			return count > 0
+		else:
+			raise Exception("Permission {} is not related to releases".format(perm.name))
+
 
 class PackageReview(db.Model):
 	id         = db.Column(db.Integer, primary_key=True)
diff --git a/app/templates/packages/release_edit.html b/app/templates/packages/release_edit.html
index 37fc655..36d41d4 100644
--- a/app/templates/packages/release_edit.html
+++ b/app/templates/packages/release_edit.html
@@ -5,6 +5,7 @@
 {% endblock %}
 
 {% block content %}
+	<h2>{{ _("Edit Release") }}</h2>
 	{% from "macros/forms.html" import render_field, render_submit_field, render_checkbox_field %}
 	<form method="POST" action="">
 		{{ form.hidden_tag() }}
@@ -59,6 +60,20 @@
 
 		{{ render_submit_field(form.submit) }}
 	</form>
+
+	<h2 class="mt-5">{{ _("Delete Release") }}</h2>
+
+	{% if release.checkPerm(current_user, "DELETE_RELEASE") %}
+		<form method="POST" action="{{ release.getDeleteURL() }}" class="mb-5">
+			<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+			<p>This is permanent.</p>
+			<input class="btn btn-danger" type="submit" value="Delete">
+		</form>
+	{% else %}
+		<div class="alert alert-secondary mb-5">
+			{{ _("You cannot delete the latest release; please create a newer one first.") }}
+		</div>
+	{% endif %}
 {% endblock %}
 
 {% block scriptextra %}