PUT /api/v4/projects/:id/merge_requests/:mr_iid silently rejects duplicate assignee IDs

Summary

When sending a PUT request to update merge request assignees with duplicate IDs in the assignee_ids array, the API silently rejects the update without returning an error.

Steps to reproduce

1. Send a PUT request to /api/v4/projects/:id/merge_requests/:mr_iid with:

{
  "assignee_ids": [123, 456, 123]
}

Current behavior

The request returns HTTP 200 with no error message. The assignees are not updated. The duplicate ID is silently ignored.

Expected behavior

The API should either:

• Accept the request and deduplicate the IDs automatically, or
• Return HTTP 400 with a clear error message explaining that duplicate IDs are not allowed

Relevant code

The issue is in app/services/merge_requests/update_assignees_service.rb at line 16:

return merge_request if new_ids.size != update_attrs[:assignee_ids].size

This check compares the size of deduplicated new_ids against the input update_attrs[:assignee_ids]. If they differ, it returns early without updating or reporting an error.

Possible fixes

1. Auto-deduplicate: Remove the size check and let the deduplicated IDs be applied
2. Return error: Add validation to reject requests with duplicate IDs and return HTTP 400
3. Document behavior: If silent rejection is intentional, document it clearly in the API docs