2FA alert shows incorrect group if enabled on a subgroup and a user is inherited

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Original Issue

Steps to reproduce

  1. Add User to GroupA.
  2. Create SubgroupB in GroupA.
  3. Enforce 2FA in SubgroupB.
  4. User is told 2FA is required in GroupA.

Example Project

https://gitlab.com/groups/gitlab-gold/ci-basic-tests/-/edit#js-permissions-settings

What is the current bug behavior?

Shows the group where the user is a member, and they are an inherited member in the subgroup that is enforcing.

What is the expected correct behavior?

Show the name and link to the subgroup that is enforcing 2FA.

Relevant logs and/or screenshots

image

Output of checks

GitLab.com, GitLab Enterprise Edition 14.8.0-pre 15637332

Possible fixes

Change the banner text:

  • Show the name and link to the subgroup that is enforcing 2FA.

Blocked by #29285 (closed)

Summary

When enforcing 2FA in a subgroup, inherited members from a parent group are not prompted to enable 2FA. Additionally, the error message incorrectly references both the subgroup and the parent group instead of only affiliated groups with 2FA enforced.

Steps to reproduce

  1. Create a new user (e.g., 2fa_test@gmail.com)
  2. Create a top-level group called No2fa
  3. Add the new user to the top-level group (No2fa)
  4. Create a subgroup called 2fa_subgroup_1 within No2fa
  5. Verify that the new user (2fa_test@gmail.com) is an inherited member of 2fa_subgroup_1 by viewing the subgroup’s member list
  6. Enable 2FA enforcement in 2fa_subgroup_1 and set it to take effect immediately
  7. Open a new, incognito browser session, and attempt to sign in to GitLab as the new user (2fa_test@gmail.com)
    • Observe whether the 2FA enforcement prompt appears. Currently, inherited members are not prompted to enable 2FA
  8. Make the user a direct member of 2fa_subgroup_1, refresh the incognito session, and observe the behaviour again. The 2FA enforcement prompt appears (see images below)

What is the current bug behaviour?

  • Inherited members of a subgroup with 2FA enforcement are not prompted to enable 2FA
  • When re-invited to be direct members, the error message displays a alert for both the 2FA enforced subgroup and the unenforced parent group due to 2FA bottom-up propagation

What is the expected correct behaviour?

  • Both direct and inherited members of a subgroup with enforced 2FA should be prompted to enable 2FA immediately upon sign-in
  • The error message should only display the name and link of the specific subgroup(s) enforcing 2FA

Relevant logs and/or screenshots

Context Image
2fa-inherited_group_member-NOT_ENFORCED 2fa-inherited_group_member-NOT_ENFORCED
2fa-direct_group_member-ENFORCED 2fa-direct_group_member-ENFORCED
2fa-leave_subgroup (this enforcement should not exist) 2fa-leave_subgroup

Possible Fixes

  1. Enforce 2FA for Inherited Members (like direct members)

  2. Update Error Message

    • Fixing this issue should fix this
    • Reproduce this issue & make sure the alert only contains the subgroups with 2FA enforced. In this case (only subgroup 2FA is enforced), it would be:
     "The group settings for 2fa_subgroup_1 require you to enable Two-Factor Authentication for your account. You can leave 2fa_subgroup_1 if you do not wish to enable 2FA."
Edited by 🤖 GitLab Bot 🤖