refactor(notes): replace AuthenticatedState with withRules, simplify handlers

refactor: add withRules wrapper to API routes

Use withRules to enforce permissions instead of manual checks.
Remove FORBIDDEN constant, simplify handlers, import withRules,
adjust GET/POST/PUT/DELETE handlers.
Centralizes auth logic.

refactor: replace manual auth checks with withRules wrapper for routes

refactor(student routes): replace manual employee checks with withRules wrapper

routes/(apps)/notes/api/notes/[numEtud]/[idModule].ts

@@ -1,11 +1,12 @@
 import { Handlers } from "$fresh/server.ts";
 import { db } from "../../../../../../databases/db.ts";
 import { notes } from "../../../../../../databases/schema.ts";
+import { withRules } from "$root/defaults/withRules.ts";
 import { and, eq } from "npm:drizzle-orm@0.45.2";
 
 export const handler: Handlers = {
   // #45 GET /notes/:numEtud/:idModule
-  async GET(_request, context) {
+  GET: withRules(["note_read", "own_note", "own_teaching_note"])(async (_request, context) => {
     try {
       const numEtud = parseInt(context.params.numEtud);
       const { idModule } = context.params;
@@ -47,8 +48,10 @@ export const handler: Handlers = {
     }
   },
 
+  }),
+
   // #46 PUT /notes/:numEtud/:idModule
-  async PUT(request, context) {
+  PUT: withRules(["note_write", "own_teaching_note"])(async (request, context) => {
     try {
       const numEtud = parseInt(context.params.numEtud);
       const { idModule } = context.params;
@@ -97,8 +100,10 @@ export const handler: Handlers = {
     }
   },
 
+  }),
+
   // #47 DELETE /notes/:numEtud/:idModule
-  async DELETE(_request, context) {
+  DELETE: withRules(["note_write"])(async (_request, context) => {
     try {
       const numEtud = parseInt(context.params.numEtud);
       const { idModule } = context.params;
@@ -135,5 +140,5 @@ export const handler: Handlers = {
       console.error("Error deleting note:", error);
       return new Response("Failed to delete note", { status: 500 });
     }
-  },
+  }),
 };