This is now entirely handled by `create_note`:
1. Project snippets prevent `create_note`.
2. Uploads already only support routing for personal snippets.
This simplifies some policies and access checks, too!
This changes the permission check so it uses the policy on Noteable
instead of Project. This prevents bypassing of rules defined in
Noteable for locked discussions and confidential issues.
Also rechecks permissions when reply_to_discussion_id is provided since the
discussion_id may be from a different noteable.