diff --git a/resources/js/store/modules/fileFunctions.js b/resources/js/store/modules/fileFunctions.js
index f785446a..5ae2da5f 100644
--- a/resources/js/store/modules/fileFunctions.js
+++ b/resources/js/store/modules/fileFunctions.js
@@ -58,7 +58,10 @@ const actions = {
         if (!noSelectedItem) commit('CLIPBOARD_CLEAR')
 
         // Get route
-        let route = getters.sharedDetail ? `/api/editor/move/${router.currentRoute.params.token}` : '/api/move'
+        let route = {
+            RequestUpload: `/api/upload-request/${router.currentRoute.params.token}/move`,
+            Public: `/api/editor/move/${router.currentRoute.params.token}`,
+        }[router.currentRoute.name] || '/api/move'
 
         let moveToId = null
 
diff --git a/routes/upload-request.php b/routes/upload-request.php
index feb22527..df0a34a0 100644
--- a/routes/upload-request.php
+++ b/routes/upload-request.php
@@ -3,22 +3,27 @@
 use Domain\UploadRequest\Controllers\CreateFolderController;
 use Domain\UploadRequest\Controllers\DeleteFileOrFolderController;
 use Domain\UploadRequest\Controllers\GetFolderTreeForUploadRequestController;
+use Domain\UploadRequest\Controllers\MoveItemInUploadRequestController;
 use Tests\Domain\UploadRequest\RenameFileOrFolderController;
 use Domain\UploadRequest\Controllers\GetUploadRequestController;
 use Domain\UploadRequest\Controllers\CreateUploadRequestController;
 use Domain\UploadRequest\Controllers\SetUploadRequestAsFilledController;
 use Domain\UploadRequest\Controllers\UploadFilesForUploadRequestController;
 
-Route::get('/{uploadRequest}', GetUploadRequestController::class);
-Route::delete('/{uploadRequest}', SetUploadRequestAsFilledController::class);
-Route::post('/{uploadRequest}/upload', UploadFilesForUploadRequestController::class);
+Route::group(['middleware' => 'upload-request'], function() {
+    Route::get('/{uploadRequest}', GetUploadRequestController::class);
+    Route::delete('/{uploadRequest}', SetUploadRequestAsFilledController::class);
+    Route::post('/{uploadRequest}/upload', UploadFilesForUploadRequestController::class);
 
-// Edit
-Route::patch('/{uploadRequest}/rename/{id}', RenameFileOrFolderController::class);
-Route::post('/{uploadRequest}/create-folder', CreateFolderController::class);
-Route::post('/{uploadRequest}/remove', DeleteFileOrFolderController::class);
+    // Edit
+    Route::patch('/{uploadRequest}/rename/{id}', RenameFileOrFolderController::class);
+    Route::post('/{uploadRequest}/create-folder', CreateFolderController::class);
+    Route::post('/{uploadRequest}/remove', DeleteFileOrFolderController::class);
 
-Route::get('/{uploadRequest}/navigation', GetFolderTreeForUploadRequestController::class);
+    // Browsing
+    Route::get('/{uploadRequest}/navigation', GetFolderTreeForUploadRequestController::class);
+    Route::post('/{uploadRequest}/move', MoveItemInUploadRequestController::class);
+});
 
 Route::group(['middleware' => ['auth:sanctum']], function () {
     Route::post('/', CreateUploadRequestController::class);
diff --git a/src/App/Http/Kernel.php b/src/App/Http/Kernel.php
index e72df3d7..086b64b7 100644
--- a/src/App/Http/Kernel.php
+++ b/src/App/Http/Kernel.php
@@ -1,6 +1,7 @@
 <?php
 namespace App\Http;
 
+use Domain\UploadRequest\Middleware\ProtectUploadRequestRoutes;
 use Fruitcake\Cors\HandleCors;
 use Support\Middleware\TrimStrings;
 use Support\Middleware\TrustProxies;
@@ -75,5 +76,6 @@ class Kernel extends HttpKernel
         'throttle'         => \Illuminate\Routing\Middleware\ThrottleRequests::class,
         'verified'         => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
         'setup-wizard'     => ProtectSetupWizardRoutes::class,
+        'upload-request'   => ProtectUploadRequestRoutes::class,
     ];
 }
diff --git a/src/Domain/UploadRequest/Controllers/CreateFolderController.php b/src/Domain/UploadRequest/Controllers/CreateFolderController.php
index 80356d68..ccbe44c5 100644
--- a/src/Domain/UploadRequest/Controllers/CreateFolderController.php
+++ b/src/Domain/UploadRequest/Controllers/CreateFolderController.php
@@ -19,11 +19,6 @@ class CreateFolderController
 
     public function __invoke(CreateFolderRequest $request, UploadRequest $uploadRequest)
     {
-        // Check if upload request is active
-        if ($uploadRequest->status !== 'active') {
-            return response('Gone', 410);
-        }
-
         // Check privileges
         if (! in_array($request->input('parent_id'), getChildrenFolderIds($uploadRequest->id))) {
             return response('Access Denied', 403);
diff --git a/src/Domain/UploadRequest/Controllers/DeleteFileOrFolderController.php b/src/Domain/UploadRequest/Controllers/DeleteFileOrFolderController.php
index ae9aec5e..b1ac7b06 100644
--- a/src/Domain/UploadRequest/Controllers/DeleteFileOrFolderController.php
+++ b/src/Domain/UploadRequest/Controllers/DeleteFileOrFolderController.php
@@ -7,18 +7,12 @@ use Domain\Folders\Models\Folder;
 use Domain\Items\Requests\DeleteItemRequest;
 use Domain\UploadRequest\Models\UploadRequest;
 use Illuminate\Support\Arr;
-use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Storage;
 
 class DeleteFileOrFolderController
 {
     public function __invoke(DeleteItemRequest $request, UploadRequest $uploadRequest)
     {
-        // Check if upload request is active
-        if ($uploadRequest->status !== 'active') {
-            return response('Gone', 410);
-        }
-
         foreach ($request->input('items') as $file) {
             // Get file or folder item
             $item = get_item($file['type'], $file['id']);
diff --git a/src/Domain/UploadRequest/Controllers/GetFolderTreeForUploadRequestController.php b/src/Domain/UploadRequest/Controllers/GetFolderTreeForUploadRequestController.php
index 2adffb80..521b792c 100644
--- a/src/Domain/UploadRequest/Controllers/GetFolderTreeForUploadRequestController.php
+++ b/src/Domain/UploadRequest/Controllers/GetFolderTreeForUploadRequestController.php
@@ -5,16 +5,14 @@ namespace Domain\UploadRequest\Controllers;
 use App\Http\Controllers\Controller;
 use Domain\Folders\Models\Folder;
 use Domain\UploadRequest\Models\UploadRequest;
+use Illuminate\Contracts\Foundation\Application;
+use Illuminate\Contracts\Routing\ResponseFactory;
+use Illuminate\Http\Response;
 
 class GetFolderTreeForUploadRequestController extends Controller
 {
-    public function __invoke(UploadRequest $uploadRequest)
+    public function __invoke(UploadRequest $uploadRequest): Application|ResponseFactory|Response|array
     {
-        // Check if upload request is active
-        if ($uploadRequest->status !== 'active') {
-            return response('Gone', 410);
-        }
-
         // Get folders
         $folders = Folder::with('folders:id,parent_id,name')
             ->whereParentId($uploadRequest->id)
diff --git a/src/Domain/UploadRequest/Controllers/MoveItemInUploadRequestController.php b/src/Domain/UploadRequest/Controllers/MoveItemInUploadRequestController.php
new file mode 100644
index 00000000..6c1ec899
--- /dev/null
+++ b/src/Domain/UploadRequest/Controllers/MoveItemInUploadRequestController.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace Domain\UploadRequest\Controllers;
+
+use App\Http\Controllers\Controller;
+use Domain\Items\Requests\MoveItemRequest;
+use Domain\UploadRequest\Models\UploadRequest;
+
+class MoveItemInUploadRequestController extends Controller
+{
+    public function __invoke(
+        MoveItemRequest $request,
+        UploadRequest $uploadRequest,
+    ) {
+        foreach ($request->input('items') as $item) {
+            $item = get_item($item['type'], $item['id']);
+
+            // Check privileges
+            if (! in_array($item['parent_id'], getChildrenFolderIds($uploadRequest->id))) {
+                return response('Access Denied', 403);
+            }
+
+            $item->update(['parent_id' => $request->input('to_id')]);
+        }
+
+        return response('Done.', 204);
+    }
+}
\ No newline at end of file
diff --git a/src/Domain/UploadRequest/Controllers/UploadFilesForUploadRequestController.php b/src/Domain/UploadRequest/Controllers/UploadFilesForUploadRequestController.php
index d595330e..79930991 100644
--- a/src/Domain/UploadRequest/Controllers/UploadFilesForUploadRequestController.php
+++ b/src/Domain/UploadRequest/Controllers/UploadFilesForUploadRequestController.php
@@ -21,11 +21,6 @@ class UploadFilesForUploadRequestController
      */
     public function __invoke(\Domain\Files\Requests\UploadRequest $request, UploadRequest $uploadRequest)
     {
-        // Check if upload request is active
-        if ($uploadRequest->status !== 'active') {
-            return response('Gone', 410);
-        }
-
         // Get upload request root folder query
         $folder = Folder::where('id', $uploadRequest->id);
 
diff --git a/src/Domain/UploadRequest/Middleware/ProtectUploadRequestRoutes.php b/src/Domain/UploadRequest/Middleware/ProtectUploadRequestRoutes.php
new file mode 100644
index 00000000..b15aa778
--- /dev/null
+++ b/src/Domain/UploadRequest/Middleware/ProtectUploadRequestRoutes.php
@@ -0,0 +1,21 @@
+<?php
+namespace Domain\UploadRequest\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+
+class ProtectUploadRequestRoutes
+{
+    /**
+     * Prevent access for setup wizard controllers after initial app installation.
+     */
+    public function handle(Request $request, Closure $next): mixed
+    {
+        // Check if upload request is active
+        if ($request->route()->parameter('uploadRequest')->status !== 'active') {
+            return response('Gone', 410);
+        }
+
+        return $next($request);
+    }
+}
diff --git a/tests/Domain/UploadRequest/UploadRequestEditingTest.php b/tests/Domain/UploadRequest/UploadRequestEditingTest.php
index 781532eb..06dc7d62 100644
--- a/tests/Domain/UploadRequest/UploadRequestEditingTest.php
+++ b/tests/Domain/UploadRequest/UploadRequestEditingTest.php
@@ -289,4 +289,48 @@ class UploadRequestEditingTest extends TestCase
         // Assert primary file was deleted
         Storage::assertMissing("files/$user->id/fake-file.pdf");
     }
+
+    /**
+     * @test
+     */
+    public function it_move_file_to_another_folder_in_upload_request()
+    {
+        $user = User::factory()
+            ->hasSettings()
+            ->create();
+
+        $uploadRequest = UploadRequest::factory()
+            ->create([
+                'status'  => 'active',
+                'user_id' => $user->id,
+            ]);
+
+        $folder = Folder::factory()
+            ->create([
+                'id'      => $uploadRequest->id,
+                'user_id' => $user->id,
+            ]);
+
+        $file = File::factory()
+            ->create([
+                'parent_id' => $uploadRequest->id,
+                'user_id'   => $user->id,
+            ]);
+
+        $this
+            ->postJson("/api/upload-request/$uploadRequest->id/move", [
+                'to_id' => $folder->id,
+                'items' => [
+                    [
+                        'type' => 'file',
+                        'id'   => $file->id,
+                    ],
+                ],
+            ])->assertStatus(204);
+
+        $this->assertDatabaseHas('files', [
+            'id'        => $file->id,
+            'parent_id' => $folder->id,
+        ]);
+    }
 }