WIP: Project option to require allow collaboration on merge requests

What does this MR do?

Add new project configuration boolean, merge_requests_require_allow_collaboration to allow maintainers of FF-only projects to merge MRs from GitLab.
Closes #25889

Moved from gitlab-foss!30789 (closed)

Does this MR meet the acceptance criteria?

Conformity

• Changelog entry
• Documentation created/updated or follow-up review issue created
• Code review guidelines
• Merge request performance guidelines
• Style guides
• Database guides
• Separation of EE specific content

Performance and testing

• Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
• Tested in all supported browsers

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

• Label as security and @ mention @gitlab-com/gl-security/appsec
• The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
• Security reports checked/validated by a reviewer from the AppSec team

app/models/merge_request.rb

@@ -167,6 +167,7 @@ def check_state?(merge_status)
   validate :validate_branches, unless: [:allow_broken, :importing?, :closed_without_fork?]
   validate :validate_fork, unless: :closed_without_fork?
   validate :validate_target_project, on: :create
+  validate :validate_collaboration
 
   scope :by_source_or_target_branch, ->(branch_name) do
     where("source_branch = :branch OR target_branch = :branch", branch: branch_name)
@@ -666,18 +667,15 @@ def validate_fork
   end
 
   def validate_collaboration
-    return true unless target_project.merge_requests_require_allow_collaboration?
+    return true unless target_project && source_project
+    return true unless must_allow_collaboration?
     return true unless for_fork?
     return true unless source_and_target_projects_not_private?
     return true if can_allow_collaboration?(author)
 
     errors.add :base, 'Target project requires merge requests to allow commits from members who can merge to the target branch'
-
-    if protected_source_branch?
-      errors.add :base, 'Source branch is protected'
-    elsif !can_push_to_source_branch?
-      errors.add :base, 'Author is not allowed to push code to the source project'
-    end
+    errors.add :base, 'Source branch is protected' if protected_source_branch?
+    errors.add :base, 'Author is not allowed to push code to the source project' unless can_push_to_source_project?(author)
   end
 
   def merge_ongoing?
@@ -834,7 +832,7 @@ def can_cancel_auto_merge?(current_user)
   def can_remove_source_branch?(current_user)
     !protected_source_branch? &&
       !source_project.root_ref?(source_branch) &&
-      can_push_to_source_branch? &&
+      can_push_to_source_project?(current_user) &&
       diff_head_sha == source_branch_head.try(:sha)
   end
 
@@ -1430,15 +1428,19 @@ def source_and_target_projects_not_private?
 
   def can_allow_collaboration?(user)
     collaborative_push_possible? &&
-      can_push_to_source_branch?
+      can_push_to_source_project?(user)
   end
 
   def must_allow_collaboration?
     target_project.merge_requests_require_allow_collaboration?
   end
 
-  def can_toggle_collaboration?(user)
-    can_allow_collaboration?(user) && !must_allow_collaboration?
+  def can_toggle_collaboration?(current_user)
+    can_allow_collaboration?(current_user) && !must_allow_collaboration?
+  end
+
+  def should_allow_collaboration?(current_user)
+    can_allow_collaboration?(current_user) && must_allow_collaboration?
   end
 
   def squash_in_progress?
@@ -1476,7 +1478,7 @@ def protected_source_branch?
     ProtectedBranch.protected?(source_project, source_branch)
   end
 
-  def can_push_to_source_branch?
-    Ability.allowed?(author, :push_code, source_project)
+  def can_push_to_source_project?(current_user)
+    Ability.allowed?(current_user, :push_code, source_project)
   end
 end