Extract EE-specific lines from MRs controller

Move access checks to their own method so they can be overridden, and
port an EE-only method to exist in CE too, with an EE-specific override.

app/controllers/projects/merge_requests_controller.rb

@@ -168,7 +168,9 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo
   end
 
   def merge
-    return access_denied! unless @merge_request.can_be_merged_by?(current_user)
+    access_check_result = merge_access_check
+
+    return access_check_result if access_check_result
 
     status = merge!
 
@@ -256,6 +258,12 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo
       return :failed
     end
 
+    merge_service = ::MergeRequests::MergeService.new(@project, current_user, merge_params)
+
+    unless merge_service.hooks_validation_pass?(@merge_request)
+      return :hook_validation_error
+    end
+
     return :sha_mismatch if params[:sha] != @merge_request.diff_head_sha
 
     @merge_request.update(merge_error: nil, squash: merge_params.fetch(:squash, false))
@@ -318,6 +326,10 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo
     access_denied! unless access_check
   end
 
+  def merge_access_check
+    access_denied! unless @merge_request.can_be_merged_by?(current_user)
+  end
+
   def whitelist_query_limiting
     # Also see https://gitlab.com/gitlab-org/gitlab-ce/issues/42441
     Gitlab::QueryLimiting.whitelist('https://gitlab.com/gitlab-org/gitlab-ce/issues/42438')

app/services/merge_requests/merge_service.rb

@@ -49,6 +49,11 @@ module MergeRequests
       end
     end
 
+    # Overridden in EE.
+    def hooks_validation_pass?(_merge_request)
+      true
+    end
+
     private
 
     def error_check!