# **Summary** When updating a merge request via the REST API (`PUT /projects/:id/merge_requests/:merge_request_iid`) and assigning members, if the assignee list contains a user who only has the _Guest_ role in the target project, GitLab Enterprise Edition returns `200 OK` but does not assign anyone from the list. --- # **Steps to reproduce** 1. Use GitLab Enterprise Edition `v18.2.4-ee`. 2. Create a merge request in a project. 3. Send a `PUT` request to the MR endpoint, including an `assignee_ids` list that contains at least one user who has the _Guest_ role in the target project. 4. Observe the response. --- # **Expected behavior** * GitLab should reject the request with a proper error code (e.g., `400` or `403`), indicating that one or more assignees cannot be assigned due to insufficient permissions. --- # **Actual behavior** * The API responds with `200 OK`. * No assignee from the provided list is applied to the merge request. * In the Web UI, such a user cannot even be selected as assignee (they are correctly shown as “cannot merge”), which is the expected behavior. --- # **Additional notes** * When the affected user’s role is changed from _Guest_ to _Developer_, the exact same API request works correctly and the assignees are applied as expected. * This suggests the UI performs proper validation, but the REST API does not return an appropriate error when invalid assignees are included.