REST API: MR update returns 200 when assigning Guest user, no assignees applied

Summary

When updating a merge request via the REST API (PUT /projects/:id/merge_requests/:merge_request_iid) and assigning members, if the assignee list contains a user who only has the Guest role in the target project, GitLab Enterprise Edition returns 200 OK but does not assign anyone from the list.

---

Steps to reproduce

1. Use GitLab Enterprise Edition v18.2.4-ee.
2. Create a merge request in a project.
3. Send a PUT request to the MR endpoint, including an assignee_ids list that contains at least one user who has the Guest role in the target project.
4. Observe the response.

---

Expected behavior

• GitLab should reject the request with a proper error code (e.g., 400 or 403), indicating that one or more assignees cannot be assigned due to insufficient permissions.

---

Actual behavior

• The API responds with 200 OK.
• No assignee from the provided list is applied to the merge request.
• In the Web UI, such a user cannot even be selected as assignee (they are correctly shown as “cannot merge”), which is the expected behavior.

---

Additional notes

• When the affected user’s role is changed from Guest to Developer, the exact same API request works correctly and the assignees are applied as expected.
• This suggests the UI performs proper validation, but the REST API does not return an appropriate error when invalid assignees are included.