Fix bug where non-project members of the target project could set labels on new merge requests.

Fixes #2292 (closed).

cc @mrtux

mentioned in issue #2292 (closed)

@DouweM @rspeicher should it be rejected on server side too if user has no access to set labels?

@dzaporozhets I believe the parameters are removed server-side if they don't have access. Can you please verify, @DouweM ?

@rspeicher They should be, but apparently that's using the source project rather than the target project when verifying permissions as well. I'll fix it.

Status changed to merged

@rspeicher I was gonna add the fix to this MR, but I'll create a new one.

mentioned in commit 1346756f

@DouweM Oh, sorry. Thanks.

@rspeicher Done in !1183 (merged).

@DouweM thank you for fixing it!