refactor(notes): replace AuthenticatedState with withRules, simplify handlers

refactor: add withRules wrapper to API routes

Use withRules to enforce permissions instead of manual checks.
Remove FORBIDDEN constant, simplify handlers, import withRules,
adjust GET/POST/PUT/DELETE handlers.
Centralizes auth logic.

refactor: replace manual auth checks with withRules wrapper for routes

refactor(student routes): replace manual employee checks with withRules wrapper

routes/(apps)/students/api/promotions/[idPromo].ts

@@ -2,6 +2,7 @@ import { FreshContext, Handlers } from "$fresh/server.ts";
 import { db } from "$root/databases/db.ts";
 import { promotions } from "$root/databases/schema.ts";
 import { AuthenticatedState } from "$root/defaults/interfaces.ts";
+import { withRules } from "$root/defaults/withRules.ts";
 import { eq } from "npm:drizzle-orm@0.45.2";
 
 const NOT_FOUND = new Response(
@@ -9,22 +10,18 @@ const NOT_FOUND = new Response(
   { status: 404, headers: { "content-type": "application/json" } },
 );
 
-const FORBIDDEN = new Response(null, { status: 403 });
-
 export const handler: Handlers<null, AuthenticatedState> = {
   // #15 GET /promotions/{idPromo}
-  async GET(
-    _request: Request,
-    context: FreshContext<AuthenticatedState>,
-  ): Promise<Response> {
-    if (context.state.session.eduPersonPrimaryAffiliation !== "employee") {
-      return FORBIDDEN;
-    }
-
+  GET: withRules(["student_read"])(async (_request, context) => {
     const promo = await db
       .select()
       .from(promotions)
-      .where(eq(promotions.id, context.params.idPromo))
+      .where(
+        eq(
+          promotions.id,
+          (context as FreshContext<AuthenticatedState>).params.idPromo,
+        ),
+      )
       .then((rows) => rows[0] ?? null);
 
     if (!promo) return NOT_FOUND;
@@ -32,23 +29,21 @@ export const handler: Handlers<null, AuthenticatedState> = {
     return new Response(JSON.stringify(promo), {
       headers: { "content-type": "application/json" },
     });
-  },
+  }),
 
   // #16 PUT /promotions/{idPromo}
-  async PUT(
-    request: Request,
-    context: FreshContext<AuthenticatedState>,
-  ): Promise<Response> {
-    if (context.state.session.eduPersonPrimaryAffiliation !== "employee") {
-      return FORBIDDEN;
-    }
-
+  PUT: withRules(["student_write"])(async (request, context) => {
     const body: { annee: string } = await request.json();
 
     const [updated] = await db
       .update(promotions)
       .set({ annee: body.annee })
-      .where(eq(promotions.id, context.params.idPromo))
+      .where(
+        eq(
+          promotions.id,
+          (context as FreshContext<AuthenticatedState>).params.idPromo,
+        ),
+      )
       .returning();
 
     if (!updated) return NOT_FOUND;
@@ -56,24 +51,22 @@ export const handler: Handlers<null, AuthenticatedState> = {
     return new Response(JSON.stringify(updated), {
       headers: { "content-type": "application/json" },
     });
-  },
+  }),
 
   // #17 DELETE /promotions/{idPromo}
-  async DELETE(
-    _request: Request,
-    context: FreshContext<AuthenticatedState>,
-  ): Promise<Response> {
-    if (context.state.session.eduPersonPrimaryAffiliation !== "employee") {
-      return FORBIDDEN;
-    }
-
+  DELETE: withRules(["student_write"])(async (_request, context) => {
     const [deleted] = await db
       .delete(promotions)
-      .where(eq(promotions.id, context.params.idPromo))
+      .where(
+        eq(
+          promotions.id,
+          (context as FreshContext<AuthenticatedState>).params.idPromo,
+        ),
+      )
       .returning();
 
     if (!deleted) return NOT_FOUND;
 
     return new Response(null, { status: 204 });
-  },
+  }),
 };