leggedrobotics · Idate96 · Mar 3, 2026 · Mar 3, 2026 · Mar 3, 2026 · Mar 3, 2026
diff --git a/backend/src/endpoints/auth/guards/index.ts b/backend/src/endpoints/auth/guards/index.ts
@@ -12,6 +12,7 @@ export {
     CreateGuard,
     CreateInProjectByBodyGuard,
     DeleteProjectGuard,
+    MigrateProjectByBodyGuard,
     ReadProjectByNameGuard,
     ReadProjectGuard,
     WriteProjectGuard,
@@ -24,6 +25,7 @@ export {
     CanReadManyMissionsGuard,
     CreateInMissionByBodyGuard,
     DeleteTagGuard,
+    MigrateMissionByBodyGuard,
     MoveMissionToProjectGuard,
     ReadMissionByNameGuard,
     ReadMissionGuard,

diff --git a/backend/src/endpoints/auth/guards/mission.guards.ts b/backend/src/endpoints/auth/guards/mission.guards.ts
@@ -7,13 +7,15 @@ import {
     Injectable,
     UnauthorizedException,
 } from '@nestjs/common';
+import { isUUID } from 'class-validator';
 import { BaseGuard } from './base.guards';
 
 interface MissionBody {
     missionUUID?: string;
     missionUuid?: string;
     uuid?: string;
     mission?: string;
+    targetProjectUUID?: string;
 }
 
 interface TagParameters {
@@ -120,10 +122,6 @@ export class CreateInMissionByBodyGuard extends BaseGuard {
         const body = request.body as MissionBody;
         const missionUUID = body.missionUUID ?? body.missionUuid;
 
-        if (user.role === UserRole.ADMIN) {
-            return true;
-        }
-
         if (!missionUUID) {
             return false; // Deny access if UUID not provided
         }
@@ -135,6 +133,9 @@ export class CreateInMissionByBodyGuard extends BaseGuard {
                 AccessGroupRights.CREATE,
             );
         }
+        if (user.role === UserRole.ADMIN) {
+            return true;
+        }
         return this.missionGuardService.canAccessMission(
             user,
             missionUUID,
@@ -155,10 +156,6 @@ export class WriteMissionByBodyGuard extends BaseGuard {
         const body = request.body as MissionBody;
         const missionUUID = body.missionUUID ?? body.missionUuid;
 
-        if (user.role === UserRole.ADMIN) {
-            return true;
-        }
-
         if (!missionUUID) {
             return false; // Deny access if UUID not provided
         }
@@ -170,6 +167,9 @@ export class WriteMissionByBodyGuard extends BaseGuard {
                 AccessGroupRights.WRITE,
             );
         }
+        if (user.role === UserRole.ADMIN) {
+            return true;
+        }
         return this.missionGuardService.canAccessMission(
             user,
             missionUUID,
@@ -195,10 +195,6 @@ export class CanDeleteMissionGuard extends BaseGuard {
             missionUUID = body.uuid ?? body.missionUUID ?? body.missionUuid;
         }
 
-        if (user.role === UserRole.ADMIN) {
-            return true;
-        }
-
         if (!missionUUID && params) {
             missionUUID = params.uuid;
         }
@@ -216,6 +212,9 @@ export class CanDeleteMissionGuard extends BaseGuard {
                 AccessGroupRights.DELETE,
             );
         }
+        if (user.role === UserRole.ADMIN) {
+            return true;
+        }
         return this.missionGuardService.canAccessMission(
             user,
             missionUUID,
@@ -323,3 +322,49 @@ export class MoveMissionToProjectGuard extends BaseGuard {
         );
     }
 }
+
+@Injectable()
+export class MigrateMissionByBodyGuard extends BaseGuard {
+    constructor(
+        private projectGuardService: ProjectGuardService,
+        private missionGuardService: MissionGuardService,
+    ) {
+        super();
+    }
+
+    async canActivate(context: ExecutionContext): Promise<boolean> {
+        const { user, apiKey, request } = await this.getUser(context);
+
+        const body = request.body as MissionBody | undefined;
+        const missionUUID = body?.missionUUID;
+        const targetProjectUUID = body?.targetProjectUUID;
+
+        if (!missionUUID || !targetProjectUUID) {
+            throw new BadRequestException(
+                'missionUUID and targetProjectUUID are required',
+            );
+        }
+        if (!isUUID(missionUUID) || !isUUID(targetProjectUUID)) {
+            throw new BadRequestException(
+                'missionUUID and targetProjectUUID must be valid UUIDs',
+            );
+        }
+
+        if (apiKey) {
+            throw new UnauthorizedException('CLI Keys cannot move missions');
+        }
+
+        return (
+            (await this.projectGuardService.canAccessProject(
+                user,
+                targetProjectUUID,
+                AccessGroupRights.CREATE,
+            )) &&
+            (await this.missionGuardService.canAccessMission(
+                user,
+                missionUUID,
+                AccessGroupRights.DELETE,
+            ))
+        );
+    }
+}
diff --git a/backend/src/endpoints/auth/guards/project.guards.ts b/backend/src/endpoints/auth/guards/project.guards.ts
@@ -1,16 +1,20 @@
 import { ProjectGuardService } from '@/services/project-guard.service';
 import { AccessGroupRights, KeyTypes } from '@kleinkram/shared';
 import {
+    BadRequestException,
     ExecutionContext,
     ForbiddenException,
     Injectable,
     UnauthorizedException,
 } from '@nestjs/common';
+import { isUUID } from 'class-validator';
 import { BaseGuard } from './base.guards';
 
 interface ProjectBody {
     projectUUID?: string;
     uuid?: string;
+    sourceProjectUUID?: string;
+    targetProjectUUID?: string;
 }
 
 interface ProjectParameters {
@@ -191,3 +195,46 @@ export class CreateGuard extends BaseGuard {
         return this.projectGuardService.canCreate(user);
     }
 }
+
+@Injectable()
+export class MigrateProjectByBodyGuard extends BaseGuard {
+    constructor(private projectGuardService: ProjectGuardService) {
+        super();
+    }
+
+    async canActivate(context: ExecutionContext): Promise<boolean> {
+        const { user, apiKey, request } = await this.getUser(context);
+
+        if (apiKey) {
+            throw new UnauthorizedException('CLI Keys cannot migrate projects');
+        }
+
+        const body = request.body as ProjectBody | undefined;
+        const sourceProjectUUID = body?.sourceProjectUUID;
+        const targetProjectUUID = body?.targetProjectUUID;
+
+        if (!sourceProjectUUID || !targetProjectUUID) {
+            throw new BadRequestException(
+                'sourceProjectUUID and targetProjectUUID are required',
+            );
+        }
+        if (!isUUID(sourceProjectUUID) || !isUUID(targetProjectUUID)) {
+            throw new BadRequestException(
+                'sourceProjectUUID and targetProjectUUID must be valid UUIDs',
+            );
+        }
+
+        return (
+            (await this.projectGuardService.canAccessProject(
+                user,
+                sourceProjectUUID,
+                AccessGroupRights.DELETE,
+            )) &&
+            (await this.projectGuardService.canAccessProject(
+                user,
+                targetProjectUUID,
+                AccessGroupRights.CREATE,
+            ))
+        );
+    }
+}
diff --git a/backend/src/endpoints/auth/roles.decorator.ts b/backend/src/endpoints/auth/roles.decorator.ts
@@ -23,6 +23,8 @@ import {
     DeleteProjectGuard,
     DeleteTagGuard,
     LoggedInUserGuard,
+    MigrateMissionByBodyGuard,
+    MigrateProjectByBodyGuard,
     MoveFilesGuard,
     MoveMissionToProjectGuard,
     ReadActionGuard,
@@ -143,6 +145,19 @@ export function CanDeleteProject() {
     );
 }
 
+export function CanMigrateProjectByBody() {
+    return applyDecorators(
+        SetMetadata('CanMigrateProjectByBody', true),
+        UseGuards(MigrateProjectByBodyGuard),
+        ApiResponse({
+            status: 401,
+            type: UnauthorizedExceptionDto,
+            description:
+                'User does not have permissions to migrate between the specified projects.',
+        }),
+    );
+}
-export function CanMigrateProjectByBody() {
-    return applyDecorators(
-        SetMetadata('CanMigrateProjectByBody', true),
-        UseGuards(MigrateProjectByBodyGuard),
-        ApiResponse({
-            status: 401,
-            type: UnauthorizedExceptionDto,
-            description:
-                'User does not have permissions to migrate between the specified projects.',
-        }),
-    );
-}
+export function CanMigrateProjectByBody() {
+    return applyDecorators(
+        SetMetadata('CanMigrateProjectByBody', true),
+        UseGuards(MigrateProjectByBodyGuard),
+        ApiResponse({
+            status: 401,
+            type: UnauthorizedExceptionDto,
+            description:
+                'User does not have permissions to migrate between the specified projects.',
+        }),
+        ApiResponse({
+            status: 403,
+            type: ForbiddenException,
+            description:
+                'User does not have sufficient access rights on the source or target project.',
+        }),
+    );
+}
-export function CanMigrateProjectByBody() {
-    return applyDecorators(
-        SetMetadata('CanMigrateProjectByBody', true),
-        UseGuards(MigrateProjectByBodyGuard),
-        ApiResponse({
-            status: 401,
-            type: UnauthorizedExceptionDto,
-            description:
-                'User does not have permissions to migrate between the specified projects.',
-        }),
-    );
-}
+export function CanMigrateProjectByBody() {
+    return applyDecorators(
+        SetMetadata('CanMigrateProjectByBody', true),
+        UseGuards(MigrateProjectByBodyGuard),
+        ApiResponse({
+            status: 401,
+            type: UnauthorizedExceptionDto,
+            description:
+                'User does not have permissions to migrate between the specified projects.',
+        }),
+        ApiResponse({
+            status: 403,
+            type: ForbiddenException,
+            description:
+                'User does not have sufficient access rights on the source or target project.',
+        }),
+    );
+}
+
 export function CanCreate() {
     return applyDecorators(
         SetMetadata('CanCreate', true),
@@ -195,6 +210,19 @@ export function CanMoveMission() {
     );
 }
 
+export function CanMigrateMissionByBody() {
+    return applyDecorators(
+        SetMetadata('CanMigrateMissionByBody', true),
+        UseGuards(MigrateMissionByBodyGuard),
+        ApiResponse({
+            status: 403,
+            type: ForbiddenException,
+            description:
+                'User does not have permissions to migrate the specified mission.',
+        }),
+    );
+}
-export function CanMigrateMissionByBody() {
-    return applyDecorators(
-        SetMetadata('CanMigrateMissionByBody', true),
-        UseGuards(MigrateMissionByBodyGuard),
-        ApiResponse({
-            status: 403,
-            type: ForbiddenException,
-            description:
-                'User does not have permissions to migrate the specified mission.',
-        }),
-    );
-}
+export function CanMigrateMissionByBody() {
+    return applyDecorators(
+        SetMetadata('CanMigrateMissionByBody', true),
+        UseGuards(MigrateMissionByBodyGuard),
+        ApiResponse({
+            status: 401,
+            type: UnauthorizedExceptionDto,
+            description:
+                'User does not have permissions to migrate the specified mission.',
+        }),
+    );
+}
-export function CanMigrateMissionByBody() {
-    return applyDecorators(
-        SetMetadata('CanMigrateMissionByBody', true),
-        UseGuards(MigrateMissionByBodyGuard),
-        ApiResponse({
-            status: 403,
-            type: ForbiddenException,
-            description:
-                'User does not have permissions to migrate the specified mission.',
-        }),
-    );
-}
+export function CanMigrateMissionByBody() {
+    return applyDecorators(
+        SetMetadata('CanMigrateMissionByBody', true),
+        UseGuards(MigrateMissionByBodyGuard),
+        ApiResponse({
+            status: 401,
+            type: UnauthorizedExceptionDto,
+            description:
+                'User does not have permissions to migrate the specified mission.',
+        }),
+    );
+}
+
 export function CanReadFile() {
     return applyDecorators(
         SetMetadata('CanReadFile', true),

diff --git a/backend/src/endpoints/mission/mission.controller.ts b/backend/src/endpoints/mission/mission.controller.ts
@@ -11,6 +11,8 @@ import {
 import {
     CreateMission,
     FlatMissionDto,
+    MigrateMissionDto,
+    MigrateMissionResponseDto,
     MinimumMissionsDto,
     MissionsDto,
     MissionWithFilesDto,
@@ -21,6 +23,7 @@ import { ParameterUuid as ParameterUID } from '../../validation/parameter-decora
 import {
     CanCreateInProjectByBody,
     CanDeleteMission,
+    CanMigrateMissionByBody,
     CanMoveMission,
     CanReadMission,
     CanWriteMissionByBody,
@@ -172,6 +175,27 @@ export class MissionController {
         return this.missionService.moveMission(missionUUID, projectUUID);
     }
 
+    @Post('migrate')
+    @CanMigrateMissionByBody()
+    @ApiOkResponse({
+        description: 'Mission migrated to another project',
+        type: MigrateMissionResponseDto,
+    })
+    async migrateMission(
+        @Body() dto: MigrateMissionDto,
+    ): Promise<MigrateMissionResponseDto> {
+        await this.missionService.migrateMission(
+            dto.missionUUID,
+            dto.targetProjectUUID,
+            dto.newName,
+        );
+        return {
+            success: true,
+            missionUUID: dto.missionUUID,
+            targetProjectUUID: dto.targetProjectUUID,
+        };
+    }
+
     @Delete(':uuid')
     @CanDeleteMission()
     @OutputDto(null) // TODO: type API response

diff --git a/backend/src/endpoints/project/project.controller.ts b/backend/src/endpoints/project/project.controller.ts
@@ -8,6 +8,8 @@ import {
     CreateProject,
     DefaultRights,
     DeleteProjectResponseDto,
+    MigrateProjectDto,
+    MigrateProjectResponseDto,
     ProjectAccessDto,
     ProjectAccessListDto,
     ProjectDto,
@@ -34,6 +36,7 @@ import { AddUser, AuthHeader } from '../auth/parameter-decorator';
 import {
     CanCreate,
     CanDeleteProject,
+    CanMigrateProjectByBody,
     CanReadProject,
     CanWriteProject,
     LoggedIn,
@@ -195,6 +198,18 @@ export class ProjectController {
     ): Promise<ProjectAccessListDto> {
         return this.accessService.updateProjectAccess(uuid, body, auth);
     }
+
+    @Post('migrate')
+    @CanMigrateProjectByBody()
+    @ApiOkResponse({
+        description: 'Project missions migrated to another project',
+        type: MigrateProjectResponseDto,
+    })
+    async migrateProject(
+        @Body() dto: MigrateProjectDto,
+    ): Promise<MigrateProjectResponseDto> {
+        return this.projectService.migrateProject(dto);
+    }
 }
 
 // TODO: this controller should get removed at some point,

diff --git a/backend/src/endpoints/project/project.module.ts b/backend/src/endpoints/project/project.module.ts
@@ -3,7 +3,9 @@ import { ProjectService } from '@/services/project.service';
 import { AccessGroupEntity, ProjectEntity } from '@kleinkram/backend-common';
 import { AccountEntity } from '@kleinkram/backend-common/entities/auth/account.entity';
 import { ProjectAccessEntity } from '@kleinkram/backend-common/entities/auth/project-access.entity';
+import { MissionEntity } from '@kleinkram/backend-common/entities/mission/mission.entity';
 import { TagTypeEntity } from '@kleinkram/backend-common/entities/tagType/tag-type.entity';
+import { StorageModule } from '@kleinkram/backend-common/modules/storage/storage.module';
 import { Module } from '@nestjs/common';
 import { TypeOrmModule } from '@nestjs/typeorm';
 import { OldProjectController, ProjectController } from './project.controller';
@@ -16,7 +18,9 @@ import { OldProjectController, ProjectController } from './project.controller';
             AccessGroupEntity,
             TagTypeEntity,
             ProjectAccessEntity,
+            MissionEntity,
         ]),
+        StorageModule,
     ],
     providers: [ProjectService, AccessService],
     exports: [ProjectService],