From f921d3698f09ff39c4c770a2ac61af198fd2cadd Mon Sep 17 00:00:00 2001
From: Henriette Dinger <h.dinger@openproject.com>
Date: Fri, 15 Nov 2019 10:17:41 +0100
Subject: [PATCH] Do not override `withCredentials` params when set

---
 .../work-packages/work-package.service.ts     |  5 ++-
 .../hal/dm-services/query-order-dm.service.ts |  3 +-
 .../http/openproject-header-interceptor.ts    | 31 +++++++++++--------
 3 files changed, 24 insertions(+), 15 deletions(-)

diff --git a/frontend/src/app/components/work-packages/work-package.service.ts b/frontend/src/app/components/work-packages/work-package.service.ts
index d9da6a6eaf..9719b03c85 100644
--- a/frontend/src/app/components/work-packages/work-package.service.ts
+++ b/frontend/src/app/components/work-packages/work-package.service.ts
@@ -56,7 +56,10 @@ export class WorkPackageService {
       'ids[]': ids
     };
     const promise = this.http
-      .delete(this.PathHelper.workPackagesBulkDeletePath(), {params: params})
+      .delete(
+        this.PathHelper.workPackagesBulkDeletePath(),
+        {params: params, withCredentials: true}
+      )
       .toPromise();
 
     if (defaultHandling) {
diff --git a/frontend/src/app/modules/hal/dm-services/query-order-dm.service.ts b/frontend/src/app/modules/hal/dm-services/query-order-dm.service.ts
index 131760c00a..940d3990d1 100644
--- a/frontend/src/app/modules/hal/dm-services/query-order-dm.service.ts
+++ b/frontend/src/app/modules/hal/dm-services/query-order-dm.service.ts
@@ -51,7 +51,8 @@ export class QueryOrderDmService {
     return this.http
       .patch(
         this.orderPath(id),
-        { delta: delta }
+        { delta: delta },
+        { withCredentials: true }
       )
       .toPromise()
       .then((response:{t:string}) => response.t);
diff --git a/frontend/src/app/modules/hal/http/openproject-header-interceptor.ts b/frontend/src/app/modules/hal/http/openproject-header-interceptor.ts
index 1d5bd1cfd0..68b6acb144 100644
--- a/frontend/src/app/modules/hal/http/openproject-header-interceptor.ts
+++ b/frontend/src/app/modules/hal/http/openproject-header-interceptor.ts
@@ -10,21 +10,26 @@ export class OpenProjectHeaderInterceptor implements HttpInterceptor {
   intercept(req:HttpRequest<any>, next:HttpHandler):Observable<HttpEvent<any>> {
     const csrf_token:string|undefined = jQuery('meta[name=csrf-token]').attr('content');
 
-    let newHeaders = req.headers
-      .set('X-Authentication-Scheme', 'Session')
-      .set('X-Requested-With', 'XMLHttpRequest');
+    if (req.withCredentials !== false) {
 
-    if (csrf_token) {
-      newHeaders = newHeaders.set('X-CSRF-TOKEN',  csrf_token);
-    }
+      let newHeaders = req.headers
+        .set('X-Authentication-Scheme', 'Session')
+        .set('X-Requested-With', 'XMLHttpRequest');
+
+      if (csrf_token) {
+        newHeaders = newHeaders.set('X-CSRF-TOKEN',  csrf_token);
+      }
 
-    // Clone the request to add the new header
-    const clonedRequest = req.clone({
-      withCredentials: true,
-      headers: newHeaders
-    });
+      // Clone the request to add the new header
+      const clonedRequest = req.clone({
+        withCredentials: true,
+        headers: newHeaders
+      });
+
+      // Pass the cloned request instead of the original request to the next handle
+      return next.handle(clonedRequest);
+    }
 
-    // Pass the cloned request instead of the original request to the next handle
-    return next.handle(clonedRequest);
+    return next.handle(req);
   }
 }