refactor: do not apply setting "require 2FA" for ancestor group members

app/models/group.rb

@@ -423,7 +423,7 @@ class Group < Namespace
   def update_two_factor_requirement
     return unless saved_change_to_require_two_factor_authentication? || saved_change_to_two_factor_grace_period?
 
-    direct_and_indirect_members.find_each(&:update_two_factor_requirement)
+    members_with_descendants.find_each(&:update_two_factor_requirement)
   end
 
   def path_changed_hook

changelogs/unreleased/feature-require-2fa-for-all-entities-in-group.yml

-title: Apply the group setting "require 2FA" across all subgroup and ancestor group members as well when changing the group setting
+title: Apply the group setting "require 2FA" across all subgroup members as well when changing the group setting
 merge_request: 24965
 author: rroger
 type: changed

spec/models/group_spec.rb

@@ -662,14 +662,14 @@ describe Group do
           expect(indirect_user.reload.require_two_factor_authentication_from_group).to be_truthy
         end
 
-        it 'enables two_factor_requirement for ancestor group member' do
+        it 'does not enable two_factor_requirement for ancestor group member' do
           ancestor_group = create(:group)
           ancestor_group.add_user(indirect_user, GroupMember::OWNER)
           group.update!(parent: ancestor_group)
 
           group.update!(require_two_factor_authentication: true)
 
-          expect(indirect_user.reload.require_two_factor_authentication_from_group).to be_truthy
+          expect(indirect_user.reload.require_two_factor_authentication_from_group).to be_falsey
         end
       end