require update_two_factor_requirement on all sub-entities users

app/models/group.rb

@@ -423,7 +423,7 @@ class Group < Namespace
   def update_two_factor_requirement
     return unless saved_change_to_require_two_factor_authentication? || saved_change_to_two_factor_grace_period?
 
-    users.find_each(&:update_two_factor_requirement)
+    User.from_union([users_with_descendants, project_users_with_descendants]).find_each(&:update_two_factor_requirement)
   end
 
   def path_changed_hook

app/models/user.rb

@@ -728,7 +728,8 @@ class User < ApplicationRecord
   end
 
   def expanded_groups_requiring_two_factor_authentication
-    all_expanded_groups.where(require_two_factor_authentication: true)
+    Group.from_union([all_expanded_groups.where(require_two_factor_authentication: true),
+                      authorized_groups.where(require_two_factor_authentication: true)])
   end
 
   # rubocop: disable CodeReuse/ServiceClass

spec/models/group_spec.rb

@@ -654,7 +654,16 @@ describe Group do
     it 'calls #update_two_factor_requirement on each child project member' do
       project = create(:project, group: group)
       project_user = create(:user)
-      project.add_user(project_user, GroupMember::OWNER)
+      project.add_developer(project_user)
+
+      expects_other_user_to_require_two_factors
+    end
+
+    it 'calls #update_two_factor_requirement on each subgroups child project member' do
+      subgroup = create(:group, :nested, parent: group)
+      project = create(:project, group: subgroup)
+      project_user = create(:user)
+      project.add_developer(project_user)
 
       expects_other_user_to_require_two_factors
     end