Enterprise group owner cannot disable 2FA if added indirectly
Summary
Owners of a top-level Enterprise groups cannot disable 2FA if they were not directly added to the group.
This was reported by a GitLab Premium customer in ticket https://gitlab.zendesk.com/agent/tickets/581306 (internal)
Steps to reproduce
- Add
user1to a sub-group, for example, an 'admin' group - Invite the group to the top-level group with the Owner role selected
- Add a
user2directly to the top-level group with the Owner role selected
Result: Both user1 and user2 are added as owners of the top-level group. Only user2 is able to see the option to disable 2FA for users.
What is the current bug behavior?
Enterprise top-level Group owners added indirectly do not see the option to disable 2FA
What is the expected correct behavior?
Any Enterprise top-level Group owner can disable user 2FA regardless of how they were added to the group.
OR if this is expected, this should be clearly documented.
Output of checks
This bug happens on GitLab.com
Possible fixes
Edited by Iris Blackburn