1 files changed, 32 insertions, 0 deletions

diff --git a/app/services/groups/update_service.rb b/app/services/groups/update_service.rb
index 08d113bc0f3..d5fe89cfd59 100644
--- a/app/services/groups/update_service.rb
+++ b/app/services/groups/update_service.rb
@@ -4,6 +4,8 @@ module Groups
   class UpdateService < Groups::BaseService
     include UpdateVisibilityLevel
 
+    SETTINGS_PARAMS = [:allow_mfa_for_subgroups].freeze
+
     def execute
       reject_parent_id!
       remove_unallowed_params
@@ -21,6 +23,8 @@ module Groups
 
       return false unless update_shared_runners
 
+      handle_changes
+
       before_assignment_hook(group, params)
 
       handle_namespace_settings
@@ -89,6 +93,19 @@ module Groups
         # don't enqueue immediately to prevent todos removal in case of a mistake
         TodosDestroyer::GroupPrivateWorker.perform_in(Todo::WAIT_FOR_DELETE, group.id)
       end
+
+      update_two_factor_requirement_for_subgroups
+    end
+
+    def update_two_factor_requirement_for_subgroups
+      settings = group.namespace_settings
+
+      return if settings.allow_mfa_for_subgroups
+
+      if settings.previous_changes.include?(:allow_mfa_for_subgroups)
+        # enque in batches members update
+        DisallowTwoFactorForSubgroupsWorker.perform_async(group.id)
+      end
     end
 
     def reject_parent_id!
@@ -101,6 +118,21 @@ module Groups
       params.delete(:default_branch_protection) unless can?(current_user, :update_default_branch_protection, group)
     end
 
+    def handle_changes
+      handle_settings_update
+    end
+
+    def handle_settings_update
+      settings_params = params.slice(*allowed_settings_params)
+      allowed_settings_params.each { |param| params.delete(param) }
+
+      ::NamespaceSettings::UpdateService.new(current_user, group, settings_params).execute
+    end
+
+    def allowed_settings_params
+      SETTINGS_PARAMS
+    end
+
     def valid_share_with_group_lock_change?
       return true unless changing_share_with_group_lock?
       return true if can?(current_user, :change_share_with_group_lock, group)