Group 2FA requirement - change of logic
Problem to solve
When a user is added to the group that enforces two-factor auth they are seeing two-factor auth setting page with the possibility to leave group (or groups) that require 2FA (MR). They cannot use other parts of their account before deciding whether they want to stay in the group and set 2FA or leave the group.
Target audience
Persona
- Sasha, Software Developer, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#sasha-software-developer
Proposal
Right now once a user is invited to the group that enforces 2FA, given user is updated in the database with a proper flag and the grace period is updated as well (to the minimal one of grace periods from all the groups - see user model). With new changes, we can make this block on a per-group base. User invited to the group can access all other parts of their account but is blocked from accessing this particular group unless 2FA is set. Grace period works for each group separately.
Permissions and Security
This will require changes in permissions.
What does success look like, and how can we measure that?
A user can access their account, projects, but they cannot access groups, which they were invited to and which requires 2FA without setting 2FA first. The grace period for each group is considered separately.