Sub-groups API returns require_two_factor_authentication = false despite top-level group restriction

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Work on this issue
• Close this issue

Original Issue

Proposal

In cases when top-level group has the following settings: • "Requires all users in this group to set up two factor authentication" to true • "Allow subgroups to set up their own two-factor authentication rules" to false

When calling /groups/sub-groupID, the attribute require_two_factor_authentication of the response shos false.

The problem is that there is no way to know from the GitLab API responses that MFA DOES apply to members of subgroups that are not members of the top-level group.

The fix would be for the API to return require_two_factor_authentication = true for all subgroups of a parent group where require_two_factor_authentication is set to true and subgroups are not allowed to set their own rule.

Additional request for the "Allow subgroups to set up their own two-factor authentication rules" Attribute: #352725

Summary

In cases where a top-level group has the following general settings:

• "Requires all users in this group to set up two-factor authentication" set to true
• "Allow subgroups to set up their own two-factor authentication rules" set to false

When calling the /groups/sub-groupID endpoint, the require_two_factor_authentication attribute in the response shows false.

This is a bug because it suggests that 2FA does not apply to members of subgroups that are not members of the top-level group.

Steps to reproduce

1. Create a top-level group with the following settings:
   • Enable "Requires all users in this group to set up two-factor authentication."
   • Disable "Allow subgroups to set up their own two-factor authentication rules."
2. Create a subgroup under the top-level group
3. Call the /groups/sub-groupID API endpoint for the created subgroup

What is the current bug behaviour?

The require_two_factor_authentication attribute in the API response for the subgroup is false, indicating that MFA does not apply, despite the top-level group's settings

What is the expected correct behaviour?

The API should return require_two_factor_authentication = true for all subgroups of a parent group where require_two_factor_authentication is set to true and subgroups are not allowed to set their own rules.

Should follow the docs