...
Verify the validity of access token
Return 401 in case validation fails
Check user scopes in order to perform this action (scope = 'merge_request:write')
Return 403 in case invalid scope(s)
Check the employee has created this merge request. Thus select inserted_by from il.merge_requests of this merge request and compare it with user_id from the token.
If not match - return 403 error (Only author of merge request is allowed to reject it)
Check that client_id from the token maches with il.merge_requests.legal_entity_id
If not match - return 422 error (User doesn’t belong to legal entity where the merge request was created)
...