From 7bfc4f999231385f2dc24cbb2d34b09cf5ae96c1 Mon Sep 17 00:00:00 2001
From: Roger Meier <r.meier@siemens.com>
Date: Thu, 13 Jun 2019 12:36:54 +0000
Subject: [PATCH] refactor: do not apply setting "require 2FA" for ancestor
 group members

---
 app/models/group.rb                                           | 2 +-
 .../feature-require-2fa-for-all-entities-in-group.yml         | 2 +-
 spec/models/group_spec.rb                                     | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/models/group.rb b/app/models/group.rb
index ba9f6221567..dbec211935d 100644
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -423,7 +423,7 @@ class Group < Namespace
   def update_two_factor_requirement
     return unless saved_change_to_require_two_factor_authentication? || saved_change_to_two_factor_grace_period?
 
-    direct_and_indirect_members.find_each(&:update_two_factor_requirement)
+    members_with_descendants.find_each(&:update_two_factor_requirement)
   end
 
   def path_changed_hook
diff --git a/changelogs/unreleased/feature-require-2fa-for-all-entities-in-group.yml b/changelogs/unreleased/feature-require-2fa-for-all-entities-in-group.yml
index ff04f99c1bb..0abe777fb69 100644
--- a/changelogs/unreleased/feature-require-2fa-for-all-entities-in-group.yml
+++ b/changelogs/unreleased/feature-require-2fa-for-all-entities-in-group.yml
@@ -1,4 +1,4 @@
-title: Apply the group setting "require 2FA" across all subgroup and ancestor group members as well when changing the group setting
+title: Apply the group setting "require 2FA" across all subgroup members as well when changing the group setting
 merge_request: 24965
 author: rroger
 type: changed
diff --git a/spec/models/group_spec.rb b/spec/models/group_spec.rb
index 074aec3eb07..d7accbef6bd 100644
--- a/spec/models/group_spec.rb
+++ b/spec/models/group_spec.rb
@@ -662,14 +662,14 @@ describe Group do
           expect(indirect_user.reload.require_two_factor_authentication_from_group).to be_truthy
         end
 
-        it 'enables two_factor_requirement for ancestor group member' do
+        it 'does not enable two_factor_requirement for ancestor group member' do
           ancestor_group = create(:group)
           ancestor_group.add_user(indirect_user, GroupMember::OWNER)
           group.update!(parent: ancestor_group)
 
           group.update!(require_two_factor_authentication: true)
 
-          expect(indirect_user.reload.require_two_factor_authentication_from_group).to be_truthy
+          expect(indirect_user.reload.require_two_factor_authentication_from_group).to be_falsey
         end
       end