fix(repository): Move backend code into subdirectory

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>

backend/src/api/public/alias/alias.controller.ts

@@ -0,0 +1,121 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  BadRequestException,
+  Body,
+  Controller,
+  Delete,
+  Param,
+  Post,
+  Put,
+  UnauthorizedException,
+  UseGuards,
+} from '@nestjs/common';
+import { ApiSecurity, ApiTags } from '@nestjs/swagger';
+
+import { TokenAuthGuard } from '../../../auth/token.strategy';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { AliasCreateDto } from '../../../notes/alias-create.dto';
+import { AliasUpdateDto } from '../../../notes/alias-update.dto';
+import { AliasDto } from '../../../notes/alias.dto';
+import { AliasService } from '../../../notes/alias.service';
+import { NotesService } from '../../../notes/notes.service';
+import { PermissionsService } from '../../../permissions/permissions.service';
+import { User } from '../../../users/user.entity';
+import { OpenApi } from '../../utils/openapi.decorator';
+import { RequestUser } from '../../utils/request-user.decorator';
+
+@UseGuards(TokenAuthGuard)
+@OpenApi(401)
+@ApiTags('alias')
+@ApiSecurity('token')
+@Controller('alias')
+export class AliasController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private aliasService: AliasService,
+    private noteService: NotesService,
+    private permissionsService: PermissionsService,
+  ) {
+    this.logger.setContext(AliasController.name);
+  }
+
+  @Post()
+  @OpenApi(
+    {
+      code: 200,
+      description: 'The new alias',
+      dto: AliasDto,
+    },
+    403,
+    404,
+  )
+  async addAlias(
+    @RequestUser() user: User,
+    @Body() newAliasDto: AliasCreateDto,
+  ): Promise<AliasDto> {
+    const note = await this.noteService.getNoteByIdOrAlias(
+      newAliasDto.noteIdOrAlias,
+    );
+    if (!(await this.permissionsService.isOwner(user, note))) {
+      throw new UnauthorizedException('Reading note denied!');
+    }
+    const updatedAlias = await this.aliasService.addAlias(
+      note,
+      newAliasDto.newAlias,
+    );
+    return this.aliasService.toAliasDto(updatedAlias, note);
+  }
+
+  @Put(':alias')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'The updated alias',
+      dto: AliasDto,
+    },
+    403,
+    404,
+  )
+  async makeAliasPrimary(
+    @RequestUser() user: User,
+    @Param('alias') alias: string,
+    @Body() changeAliasDto: AliasUpdateDto,
+  ): Promise<AliasDto> {
+    if (!changeAliasDto.primaryAlias) {
+      throw new BadRequestException(
+        `The field 'primaryAlias' must be set to 'true'.`,
+      );
+    }
+    const note = await this.noteService.getNoteByIdOrAlias(alias);
+    if (!(await this.permissionsService.isOwner(user, note))) {
+      throw new UnauthorizedException('Reading note denied!');
+    }
+    const updatedAlias = await this.aliasService.makeAliasPrimary(note, alias);
+    return this.aliasService.toAliasDto(updatedAlias, note);
+  }
+
+  @Delete(':alias')
+  @OpenApi(
+    {
+      code: 204,
+      description: 'The alias was deleted',
+    },
+    400,
+    403,
+    404,
+  )
+  async removeAlias(
+    @RequestUser() user: User,
+    @Param('alias') alias: string,
+  ): Promise<void> {
+    const note = await this.noteService.getNoteByIdOrAlias(alias);
+    if (!(await this.permissionsService.isOwner(user, note))) {
+      throw new UnauthorizedException('Reading note denied!');
+    }
+    await this.aliasService.removeAlias(note, alias);
+  }
+}

backend/src/api/public/me/me.controller.ts

@@ -0,0 +1,152 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Put,
+  UseGuards,
+  UseInterceptors,
+} from '@nestjs/common';
+import { ApiSecurity, ApiTags } from '@nestjs/swagger';
+
+import { TokenAuthGuard } from '../../../auth/token.strategy';
+import { HistoryEntryUpdateDto } from '../../../history/history-entry-update.dto';
+import { HistoryEntryDto } from '../../../history/history-entry.dto';
+import { HistoryService } from '../../../history/history.service';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { MediaUploadDto } from '../../../media/media-upload.dto';
+import { MediaService } from '../../../media/media.service';
+import { NoteMetadataDto } from '../../../notes/note-metadata.dto';
+import { Note } from '../../../notes/note.entity';
+import { NotesService } from '../../../notes/notes.service';
+import { FullUserInfoDto } from '../../../users/user-info.dto';
+import { User } from '../../../users/user.entity';
+import { UsersService } from '../../../users/users.service';
+import { GetNoteInterceptor } from '../../utils/get-note.interceptor';
+import { OpenApi } from '../../utils/openapi.decorator';
+import { RequestNote } from '../../utils/request-note.decorator';
+import { RequestUser } from '../../utils/request-user.decorator';
+
+@UseGuards(TokenAuthGuard)
+@OpenApi(401)
+@ApiTags('me')
+@ApiSecurity('token')
+@Controller('me')
+export class MeController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private usersService: UsersService,
+    private historyService: HistoryService,
+    private notesService: NotesService,
+    private mediaService: MediaService,
+  ) {
+    this.logger.setContext(MeController.name);
+  }
+
+  @Get()
+  @OpenApi({
+    code: 200,
+    description: 'The user information',
+    dto: FullUserInfoDto,
+  })
+  getMe(@RequestUser() user: User): FullUserInfoDto {
+    return this.usersService.toFullUserDto(user);
+  }
+
+  @Get('history')
+  @OpenApi({
+    code: 200,
+    description: 'The history entries of the user',
+    isArray: true,
+    dto: HistoryEntryDto,
+  })
+  async getUserHistory(@RequestUser() user: User): Promise<HistoryEntryDto[]> {
+    const foundEntries = await this.historyService.getEntriesByUser(user);
+    return await Promise.all(
+      foundEntries.map((entry) => this.historyService.toHistoryEntryDto(entry)),
+    );
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Get('history/:noteIdOrAlias')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'The history entry of the user which points to the note',
+      dto: HistoryEntryDto,
+    },
+    404,
+  )
+  async getHistoryEntry(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+  ): Promise<HistoryEntryDto> {
+    const foundEntry = await this.historyService.getEntryByNote(note, user);
+    return await this.historyService.toHistoryEntryDto(foundEntry);
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Put('history/:noteIdOrAlias')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'The updated history entry',
+      dto: HistoryEntryDto,
+    },
+    404,
+  )
+  async updateHistoryEntry(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Body() entryUpdateDto: HistoryEntryUpdateDto,
+  ): Promise<HistoryEntryDto> {
+    // ToDo: Check if user is allowed to pin this history entry
+    return await this.historyService.toHistoryEntryDto(
+      await this.historyService.updateHistoryEntry(note, user, entryUpdateDto),
+    );
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Delete('history/:noteIdOrAlias')
+  @OpenApi(204, 404)
+  async deleteHistoryEntry(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+  ): Promise<void> {
+    // ToDo: Check if user is allowed to delete note
+    await this.historyService.deleteHistoryEntry(note, user);
+  }
+
+  @Get('notes')
+  @OpenApi({
+    code: 200,
+    description: 'Metadata of all notes of the user',
+    isArray: true,
+    dto: NoteMetadataDto,
+  })
+  async getMyNotes(@RequestUser() user: User): Promise<NoteMetadataDto[]> {
+    const notes = this.notesService.getUserNotes(user);
+    return await Promise.all(
+      (await notes).map((note) => this.notesService.toNoteMetadataDto(note)),
+    );
+  }
+
+  @Get('media')
+  @OpenApi({
+    code: 200,
+    description: 'All media uploads of the user',
+    isArray: true,
+    dto: MediaUploadDto,
+  })
+  async getMyMedia(@RequestUser() user: User): Promise<MediaUploadDto[]> {
+    const media = await this.mediaService.listUploadsByUser(user);
+    return await Promise.all(
+      media.map((media) => this.mediaService.toMediaUploadDto(media)),
+    );
+  }
+}

backend/src/api/public/media/media.controller.ts

@@ -0,0 +1,118 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  Controller,
+  Delete,
+  Param,
+  Post,
+  UploadedFile,
+  UseGuards,
+  UseInterceptors,
+} from '@nestjs/common';
+import { FileInterceptor } from '@nestjs/platform-express';
+import {
+  ApiBody,
+  ApiConsumes,
+  ApiHeader,
+  ApiSecurity,
+  ApiTags,
+} from '@nestjs/swagger';
+
+import { TokenAuthGuard } from '../../../auth/token.strategy';
+import { PermissionError } from '../../../errors/errors';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { MediaUploadDto } from '../../../media/media-upload.dto';
+import { MediaService } from '../../../media/media.service';
+import { MulterFile } from '../../../media/multer-file.interface';
+import { Note } from '../../../notes/note.entity';
+import { NotesService } from '../../../notes/notes.service';
+import { User } from '../../../users/user.entity';
+import { NoteHeaderInterceptor } from '../../utils/note-header.interceptor';
+import { OpenApi } from '../../utils/openapi.decorator';
+import { RequestNote } from '../../utils/request-note.decorator';
+import { RequestUser } from '../../utils/request-user.decorator';
+
+@UseGuards(TokenAuthGuard)
+@OpenApi(401)
+@ApiTags('media')
+@ApiSecurity('token')
+@Controller('media')
+export class MediaController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private mediaService: MediaService,
+    private noteService: NotesService,
+  ) {
+    this.logger.setContext(MediaController.name);
+  }
+
+  @Post()
+  @ApiConsumes('multipart/form-data')
+  @ApiBody({
+    schema: {
+      type: 'object',
+      properties: {
+        file: {
+          type: 'string',
+          format: 'binary',
+        },
+      },
+    },
+  })
+  @ApiHeader({
+    name: 'HedgeDoc-Note',
+    description: 'ID or alias of the parent note',
+  })
+  @OpenApi(
+    {
+      code: 201,
+      description: 'The file was uploaded successfully',
+      dto: MediaUploadDto,
+    },
+    400,
+    403,
+    404,
+    500,
+  )
+  @UseInterceptors(FileInterceptor('file'))
+  @UseInterceptors(NoteHeaderInterceptor)
+  async uploadMedia(
+    @RequestUser() user: User,
+    @UploadedFile() file: MulterFile,
+    @RequestNote() note: Note,
+  ): Promise<MediaUploadDto> {
+    this.logger.debug(
+      `Recieved filename '${file.originalname}' for note '${note.id}' from user '${user.username}'`,
+      'uploadMedia',
+    );
+    const upload = await this.mediaService.saveFile(file.buffer, user, note);
+    return await this.mediaService.toMediaUploadDto(upload);
+  }
+
+  @Delete(':filename')
+  @OpenApi(204, 403, 404, 500)
+  async deleteMedia(
+    @RequestUser() user: User,
+    @Param('filename') filename: string,
+  ): Promise<void> {
+    const username = user.username;
+    this.logger.debug(
+      `Deleting '${filename}' for user '${username}'`,
+      'deleteMedia',
+    );
+    const mediaUpload = await this.mediaService.findUploadByFilename(filename);
+    if ((await mediaUpload.user).username !== username) {
+      this.logger.warn(
+        `${username} tried to delete '${filename}', but is not the owner`,
+        'deleteMedia',
+      );
+      throw new PermissionError(
+        `File '${filename}' is not owned by '${username}'`,
+      );
+    }
+    await this.mediaService.deleteFile(mediaUpload);
+  }
+}

backend/src/api/public/monitoring/monitoring.controller.ts

@@ -0,0 +1,48 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { Controller, Get, UseGuards } from '@nestjs/common';
+import { ApiSecurity, ApiTags } from '@nestjs/swagger';
+
+import { TokenAuthGuard } from '../../../auth/token.strategy';
+import { MonitoringService } from '../../../monitoring/monitoring.service';
+import { ServerStatusDto } from '../../../monitoring/server-status.dto';
+import { OpenApi } from '../../utils/openapi.decorator';
+
+@UseGuards(TokenAuthGuard)
+@OpenApi(401)
+@ApiTags('monitoring')
+@ApiSecurity('token')
+@Controller('monitoring')
+export class MonitoringController {
+  constructor(private monitoringService: MonitoringService) {}
+
+  @Get()
+  @OpenApi(
+    {
+      code: 200,
+      description: 'The server info',
+      dto: ServerStatusDto,
+    },
+    403,
+  )
+  getStatus(): Promise<ServerStatusDto> {
+    // TODO: toServerStatusDto.
+    return this.monitoringService.getServerStatus();
+  }
+
+  @Get('prometheus')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Prometheus compatible monitoring data',
+      mimeType: 'text/plain',
+    },
+    403,
+  )
+  getPrometheusStatus(): string {
+    return '';
+  }
+}

backend/src/api/public/notes/notes.controller.ts

@@ -0,0 +1,459 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  BadRequestException,
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Param,
+  Post,
+  Put,
+  UseGuards,
+  UseInterceptors,
+} from '@nestjs/common';
+import { ApiSecurity, ApiTags } from '@nestjs/swagger';
+
+import { TokenAuthGuard } from '../../../auth/token.strategy';
+import { NotInDBError } from '../../../errors/errors';
+import { GroupsService } from '../../../groups/groups.service';
+import { HistoryService } from '../../../history/history.service';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { MediaUploadDto } from '../../../media/media-upload.dto';
+import { MediaService } from '../../../media/media.service';
+import { NoteMetadataDto } from '../../../notes/note-metadata.dto';
+import {
+  NotePermissionsDto,
+  NotePermissionsUpdateDto,
+} from '../../../notes/note-permissions.dto';
+import { NoteDto } from '../../../notes/note.dto';
+import { Note } from '../../../notes/note.entity';
+import { NoteMediaDeletionDto } from '../../../notes/note.media-deletion.dto';
+import { NotesService } from '../../../notes/notes.service';
+import { Permission } from '../../../permissions/permissions.enum';
+import { PermissionsService } from '../../../permissions/permissions.service';
+import { RevisionMetadataDto } from '../../../revisions/revision-metadata.dto';
+import { RevisionDto } from '../../../revisions/revision.dto';
+import { RevisionsService } from '../../../revisions/revisions.service';
+import { User } from '../../../users/user.entity';
+import { UsersService } from '../../../users/users.service';
+import { GetNoteInterceptor } from '../../utils/get-note.interceptor';
+import { MarkdownBody } from '../../utils/markdown-body.decorator';
+import { OpenApi } from '../../utils/openapi.decorator';
+import { Permissions } from '../../utils/permissions.decorator';
+import { PermissionsGuard } from '../../utils/permissions.guard';
+import { RequestNote } from '../../utils/request-note.decorator';
+import { RequestUser } from '../../utils/request-user.decorator';
+
+@UseGuards(TokenAuthGuard, PermissionsGuard)
+@OpenApi(401)
+@ApiTags('notes')
+@ApiSecurity('token')
+@Controller('notes')
+export class NotesController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private noteService: NotesService,
+    private userService: UsersService,
+    private groupService: GroupsService,
+    private revisionsService: RevisionsService,
+    private historyService: HistoryService,
+    private mediaService: MediaService,
+    private permissionService: PermissionsService,
+  ) {
+    this.logger.setContext(NotesController.name);
+  }
+
+  @Permissions(Permission.CREATE)
+  @Post()
+  @OpenApi(201, 403, 409, 413)
+  async createNote(
+    @RequestUser() user: User,
+    @MarkdownBody() text: string,
+  ): Promise<NoteDto> {
+    this.logger.debug('Got raw markdown:\n' + text);
+    return await this.noteService.toNoteDto(
+      await this.noteService.createNote(text, user),
+    );
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.READ)
+  @Get(':noteIdOrAlias')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Get information about the newly created note',
+      dto: NoteDto,
+    },
+    403,
+    404,
+  )
+  async getNote(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+  ): Promise<NoteDto> {
+    await this.historyService.updateHistoryEntryTimestamp(note, user);
+    return await this.noteService.toNoteDto(note);
+  }
+
+  @Permissions(Permission.CREATE)
+  @UseGuards(PermissionsGuard)
+  @Post(':noteAlias')
+  @OpenApi(
+    {
+      code: 201,
+      description: 'Get information about the newly created note',
+      dto: NoteDto,
+    },
+    400,
+    403,
+    409,
+    413,
+  )
+  async createNamedNote(
+    @RequestUser() user: User,
+    @Param('noteAlias') noteAlias: string,
+    @MarkdownBody() text: string,
+  ): Promise<NoteDto> {
+    this.logger.debug('Got raw markdown:\n' + text, 'createNamedNote');
+    return await this.noteService.toNoteDto(
+      await this.noteService.createNote(text, user, noteAlias),
+    );
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @Delete(':noteIdOrAlias')
+  @OpenApi(204, 403, 404, 500)
+  async deleteNote(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Body() noteMediaDeletionDto: NoteMediaDeletionDto,
+  ): Promise<void> {
+    const mediaUploads = await this.mediaService.listUploadsByNote(note);
+    for (const mediaUpload of mediaUploads) {
+      if (!noteMediaDeletionDto.keepMedia) {
+        await this.mediaService.deleteFile(mediaUpload);
+      } else {
+        await this.mediaService.removeNoteFromMediaUpload(mediaUpload);
+      }
+    }
+    this.logger.debug(`Deleting note: ${note.id}`, 'deleteNote');
+    await this.noteService.deleteNote(note);
+    this.logger.debug(`Successfully deleted ${note.id}`, 'deleteNote');
+    return;
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.WRITE)
+  @Put(':noteIdOrAlias')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'The new, changed note',
+      dto: NoteDto,
+    },
+    403,
+    404,
+  )
+  async updateNote(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @MarkdownBody() text: string,
+  ): Promise<NoteDto> {
+    this.logger.debug('Got raw markdown:\n' + text, 'updateNote');
+    return await this.noteService.toNoteDto(
+      await this.noteService.updateNote(note, text),
+    );
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.READ)
+  @Get(':noteIdOrAlias/content')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'The raw markdown content of the note',
+      mimeType: 'text/markdown',
+    },
+    403,
+    404,
+  )
+  async getNoteContent(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+  ): Promise<string> {
+    return await this.noteService.getNoteContent(note);
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.READ)
+  @Get(':noteIdOrAlias/metadata')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'The metadata of the note',
+      dto: NoteMetadataDto,
+    },
+    403,
+    404,
+  )
+  async getNoteMetadata(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+  ): Promise<NoteMetadataDto> {
+    return await this.noteService.toNoteMetadataDto(note);
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @Put(':noteIdOrAlias/metadata/permissions')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'The updated permissions of the note',
+      dto: NotePermissionsDto,
+    },
+    403,
+    404,
+  )
+  async updateNotePermissions(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Body() updateDto: NotePermissionsUpdateDto,
+  ): Promise<NotePermissionsDto> {
+    return await this.noteService.toNotePermissionsDto(
+      await this.permissionService.updateNotePermissions(note, updateDto),
+    );
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.READ)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Get(':noteIdOrAlias/metadata/permissions')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Get the permissions for a note',
+      dto: NotePermissionsDto,
+    },
+    403,
+    404,
+  )
+  async getPermissions(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+  ): Promise<NotePermissionsDto> {
+    return await this.noteService.toNotePermissionsDto(note);
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Set the permissions for a user on a note',
+      dto: NotePermissionsDto,
+    },
+    403,
+    404,
+  )
+  async setUserPermission(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('userName') username: string,
+    @Body() canEdit: boolean,
+  ): Promise<NotePermissionsDto> {
+    const permissionUser = await this.userService.getUserByUsername(username);
+    const returnedNote = await this.permissionService.setUserPermission(
+      note,
+      permissionUser,
+      canEdit,
+    );
+    return await this.noteService.toNotePermissionsDto(returnedNote);
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Delete(':noteIdOrAlias/metadata/permissions/users/:userName')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Remove the permission for a user on a note',
+      dto: NotePermissionsDto,
+    },
+    403,
+    404,
+  )
+  async removeUserPermission(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('userName') username: string,
+  ): Promise<NotePermissionsDto> {
+    try {
+      const permissionUser = await this.userService.getUserByUsername(username);
+      const returnedNote = await this.permissionService.removeUserPermission(
+        note,
+        permissionUser,
+      );
+      return await this.noteService.toNotePermissionsDto(returnedNote);
+    } catch (e) {
+      if (e instanceof NotInDBError) {
+        throw new BadRequestException(
+          "Can't remove user from permissions. User not known.",
+        );
+      }
+      throw e;
+    }
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Put(':noteIdOrAlias/metadata/permissions/groups/:groupName')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Set the permissions for a user on a note',
+      dto: NotePermissionsDto,
+    },
+    403,
+    404,
+  )
+  async setGroupPermission(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('groupName') groupName: string,
+    @Body() canEdit: boolean,
+  ): Promise<NotePermissionsDto> {
+    const permissionGroup = await this.groupService.getGroupByName(groupName);
+    const returnedNote = await this.permissionService.setGroupPermission(
+      note,
+      permissionGroup,
+      canEdit,
+    );
+    return await this.noteService.toNotePermissionsDto(returnedNote);
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Delete(':noteIdOrAlias/metadata/permissions/groups/:groupName')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Remove the permission for a group on a note',
+      dto: NotePermissionsDto,
+    },
+    403,
+    404,
+  )
+  async removeGroupPermission(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('groupName') groupName: string,
+  ): Promise<NotePermissionsDto> {
+    const permissionGroup = await this.groupService.getGroupByName(groupName);
+    const returnedNote = await this.permissionService.removeGroupPermission(
+      note,
+      permissionGroup,
+    );
+    return await this.noteService.toNotePermissionsDto(returnedNote);
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Put(':noteIdOrAlias/metadata/permissions/owner')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Changes the owner of the note',
+      dto: NoteDto,
+    },
+    403,
+    404,
+  )
+  async changeOwner(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Body() newOwner: string,
+  ): Promise<NoteDto> {
+    const owner = await this.userService.getUserByUsername(newOwner);
+    return await this.noteService.toNoteDto(
+      await this.permissionService.changeOwner(note, owner),
+    );
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.READ)
+  @Get(':noteIdOrAlias/revisions')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Revisions of the note',
+      isArray: true,
+      dto: RevisionMetadataDto,
+    },
+    403,
+    404,
+  )
+  async getNoteRevisions(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+  ): Promise<RevisionMetadataDto[]> {
+    const revisions = await this.revisionsService.getAllRevisions(note);
+    return await Promise.all(
+      revisions.map((revision) =>
+        this.revisionsService.toRevisionMetadataDto(revision),
+      ),
+    );
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.READ)
+  @Get(':noteIdOrAlias/revisions/:revisionId')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Revision of the note for the given id or alias',
+      dto: RevisionDto,
+    },
+    403,
+    404,
+  )
+  async getNoteRevision(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('revisionId') revisionId: number,
+  ): Promise<RevisionDto> {
+    return await this.revisionsService.toRevisionDto(
+      await this.revisionsService.getRevision(note, revisionId),
+    );
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.READ)
+  @Get(':noteIdOrAlias/media')
+  @OpenApi({
+    code: 200,
+    description: 'All media uploads of the note',
+    isArray: true,
+    dto: MediaUploadDto,
+  })
+  async getNotesMedia(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+  ): Promise<MediaUploadDto[]> {
+    const media = await this.mediaService.listUploadsByNote(note);
+    return await Promise.all(
+      media.map((media) => this.mediaService.toMediaUploadDto(media)),
+    );
+  }
+}

backend/src/api/public/public-api.module.ts

@@ -0,0 +1,43 @@
+/*
+ * SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { Module } from '@nestjs/common';
+
+import { GroupsModule } from '../../groups/groups.module';
+import { HistoryModule } from '../../history/history.module';
+import { LoggerModule } from '../../logger/logger.module';
+import { MediaModule } from '../../media/media.module';
+import { MonitoringModule } from '../../monitoring/monitoring.module';
+import { NotesModule } from '../../notes/notes.module';
+import { PermissionsModule } from '../../permissions/permissions.module';
+import { RevisionsModule } from '../../revisions/revisions.module';
+import { UsersModule } from '../../users/users.module';
+import { AliasController } from './alias/alias.controller';
+import { MeController } from './me/me.controller';
+import { MediaController } from './media/media.controller';
+import { MonitoringController } from './monitoring/monitoring.controller';
+import { NotesController } from './notes/notes.controller';
+
+@Module({
+  imports: [
+    GroupsModule,
+    UsersModule,
+    HistoryModule,
+    NotesModule,
+    RevisionsModule,
+    MonitoringModule,
+    LoggerModule,
+    MediaModule,
+    PermissionsModule,
+  ],
+  controllers: [
+    AliasController,
+    MeController,
+    NotesController,
+    MediaController,
+    MonitoringController,
+  ],
+})
+export class PublicApiModule {}