From b946e5631dac578df3a80d61c7fddb6c224aa1bf Mon Sep 17 00:00:00 2001
From: Alex <40072887+alexdcrane@users.noreply.github.com>
Date: Sat, 25 Apr 2026 21:18:42 +0000
Subject: [PATCH] Devices: Preserve query string parameters across list and
 edit pages (#7920)

* Devices: Preserve query string parameters across list and edit pages

* Update device_edit.php

* Update device_copy.php
---
 app/devices/device_copy.php |  32 ++++++++-
 app/devices/device_edit.php |  48 ++++++++++----
 app/devices/devices.php     | 125 ++++++++++++++++++------------------
 3 files changed, 129 insertions(+), 76 deletions(-)

diff --git a/app/devices/device_copy.php b/app/devices/device_copy.php
index d7e8a5a9d..5d2a11c23 100644
--- a/app/devices/device_copy.php
+++ b/app/devices/device_copy.php
@@ -188,9 +188,39 @@
 		message::add($text['message-copy']);
 	}
 
+// Set variables from http GET parameters
+	$page = is_numeric($_GET['page'] ?? '') ? $_GET['page'] : 0;
+	$order_by = preg_replace('#[^a-zA-Z0-9_\-]#', '', ($_GET['order_by'] ?? 'device_label'));
+	$order = ($_GET['order'] ?? '') === 'desc' ? 'desc' : 'asc';
+	$fields = $_GET['fields'] ?? '';
+	$search = $_GET['search'] ?? '';
+	$show = $_GET['show'] ?? '';
+
+// Build the query string
+	$url_params = [];
+	if (!empty($page)) {
+		$url_params['page'] = $page;
+	}
+	if (!empty($_GET['order_by'])) {
+		$url_params['order_by'] = $order_by;
+	}
+	if (!empty($_GET['order'])) {
+		$url_params['order'] = $order;
+	}
+	if (!empty($fields)) {
+		$url_params['fields'] = $fields;
+	}
+	if (!empty($search)) {
+		$url_params['search'] = $search;
+	}
+	if (!empty($show) && $show == 'all' && permission_exists('device_all')) {
+		$url_params['show'] = $show;
+	}
+	$query_string = http_build_query($url_params);
+
 //redirect
 	if (is_uuid($device_uuid)) {
-		header("Location: device_edit.php?id=".urlencode($device_uuid));
+		header("Location: device_edit.php?id=".urlencode($device_uuid).($query_string ? '&'.$query_string : ''));
 	}
 
 ?>
diff --git a/app/devices/device_edit.php b/app/devices/device_edit.php
index 96f422b86..985431c0f 100644
--- a/app/devices/device_edit.php
+++ b/app/devices/device_edit.php
@@ -36,12 +36,6 @@
 	$language = new text;
 	$text = $language->get();
 
-//get order and order by, page
-	$order_by = preg_replace('#[^a-zA-Z0-9_\-]#', '', ($_REQUEST["order_by"] ?? ''));
-	$order = $_REQUEST["order"] ?? 'asc';
-	$page = isset($_REQUEST['page']) && is_numeric($_REQUEST['page']) ? $_REQUEST['page'] : 0;
-	$search = $_REQUEST['search'] ?? null;
-
 //set the defaults
 	$device_model = '';
 	$device_firmware_version = '';
@@ -64,6 +58,36 @@
 		$device_uuid = uuid();
 	}
 
+// Set variables from http GET parameters
+	$page = is_numeric($_GET['page'] ?? '') ? $_GET['page'] : 0;
+	$order_by = preg_replace('#[^a-zA-Z0-9_\-]#', '', ($_GET['order_by'] ?? 'device_label'));
+	$order = ($_GET['order'] ?? '') === 'desc' ? 'desc' : 'asc';
+	$fields = $_GET['fields'] ?? '';
+	$search = $_GET['search'] ?? '';
+	$show = $_GET['show'] ?? '';
+
+// Build the query string
+	$url_params = [];
+	if (!empty($page)) {
+		$url_params['page'] = $page;
+	}
+	if (!empty($_GET['order_by'])) {
+		$url_params['order_by'] = $order_by;
+	}
+	if (!empty($_GET['order'])) {
+		$url_params['order'] = $order;
+	}
+	if (!empty($fields)) {
+		$url_params['fields'] = $fields;
+	}
+	if (!empty($search)) {
+		$url_params['search'] = $search;
+	}
+	if (!empty($show) && $show == 'all' && permission_exists('device_all')) {
+		$url_params['show'] = $show;
+	}
+	$query_string = http_build_query($url_params);
+
 //get the total device count from the database, check the limit, if defined
 	if ($action == 'add' && $settings->get('limit', 'devices', '') != '') {
 		$sql = "select count(*) from v_devices where domain_uuid = :domain_uuid ";
@@ -71,7 +95,7 @@
 		$total_devices = $database->select($sql, $parameters, 'column');
 		if ($total_devices >= $settings->get('limit', 'devices', '')) {
 			message::add($text['message-maximum_devices'].' '.$settings->get('limit', 'devices', ''), 'negative');
-			header('Location: devices.php?'.(!empty($order_by) ? '&order_by='.$order_by.'&order='.$order : null).(isset($page) && is_numeric($page) ? '&page='.$page : null).(!empty($search) ? '&search='.urlencode($search) : null));
+			header('Location: devices.php'.($query_string ? '?'.$query_string : ''));
 			exit;
 		}
 		unset($sql, $parameters, $total_devices);
@@ -94,7 +118,7 @@
 						break;
 				}
 
-				header('Location: devices.php?'.(!empty($order_by) ? '&order_by='.$order_by.'&order='.$order : null).(isset($page) && is_numeric($page) ? '&page='.$page : null).(!empty($search) ? '&search='.urlencode($search) : null));
+				header('Location: devices.php'.($query_string ? '?'.$query_string : ''));
 				exit;
 			}
 
@@ -185,7 +209,7 @@
 			$token = new token;
 			if (!$token->validate($_SERVER['PHP_SELF'])) {
 				message::add($text['message-invalid_token'],'negative');
-				header('Location: devices.php?'.(!empty($order_by) ? '&order_by='.$order_by.'&order='.$order : null).(isset($page) && is_numeric($page) ? '&page='.$page : null).(!empty($search) ? '&search='.urlencode($search) : null));
+				header('Location: devices.php'.($query_string ? '?'.$query_string : ''));
 				exit;
 			}
 
@@ -232,7 +256,7 @@
 				if ($device_domain_name != '') {
 					$message = $text['message-duplicate'].($device_domain_name != $domain_name ? ": ".$device_domain_name : null);
 					message::add($message,'negative');
-					header('Location: devices.php?'.(!empty($order_by) ? '&order_by='.$order_by.'&order='.$order : null).(isset($page) && is_numeric($page) ? '&page='.$page : null).(!empty($search) ? '&search='.urlencode($search) : null));
+					header('Location: devices.php'.($query_string ? '?'.$query_string : ''));
 					exit;
 				}
 				unset($sql, $parameters, $device_domain_name);
@@ -515,7 +539,7 @@
 							message::add($text['message-update']);
 						}
 						//redirect the browser
-						header("Location: device_edit.php?id=".urlencode($device_uuid).(!empty($order_by) ? '&order_by='.$order_by.'&order='.$order : null).(isset($page) && is_numeric($page) ? '&page='.$page : null).(!empty($search) ? '&search='.urlencode($search) : null));
+						header("Location: device_edit.php?id=".urlencode($device_uuid).($query_string ? '&'.$query_string : ''));
 						exit;
 					}
 
@@ -1042,7 +1066,7 @@
 	echo "<div class='action_bar' id='action_bar'>\n";
 	echo "	<div class='heading'><b>".$text['header-device']."</b></div>\n";
 	echo "	<div class='actions'>\n";
-	echo button::create(['type'=>'button','label'=>$text['button-back'],'icon'=>$settings->get('theme', 'button_icon_back', ''),'id'=>'btn_back','link'=>'devices.php?'.(!empty($order_by) ? '&order_by='.$order_by.'&order='.$order : null).(isset($page) && is_numeric($page) ? '&page='.$page : null).(!empty($search) ? '&search='.urlencode($search) : null)]);
+	echo button::create(['type'=>'button','label'=>$text['button-back'],'icon'=>$settings->get('theme', 'button_icon_back', ''),'id'=>'btn_back','link'=>'devices.php'.($query_string ? '?'.$query_string : '')]);
 	if ($action == 'update') {
 		$button_margin = 'margin-left: 15px;';
 		if (permission_exists("device_line_password") && $qr_code_enabled) {
diff --git a/app/devices/devices.php b/app/devices/devices.php
index 26c571936..707ee9217 100644
--- a/app/devices/devices.php
+++ b/app/devices/devices.php
@@ -17,7 +17,7 @@
 
 	The Initial Developer of the Original Code is
 	Mark J Crane <markjcrane@fusionpbx.com>
-	Portions created by the Initial Developer are Copyright (C) 2008-2025
+	Portions created by the Initial Developer are Copyright (C) 2008-2026
 	the Initial Developer. All Rights Reserved.
 
 	Contributor(s):
@@ -54,6 +54,36 @@
 		$devices = $_POST['devices'];
 	}
 
+// Set variables from http GET parameters
+	$page = is_numeric($_GET['page'] ?? '') ? $_GET['page'] : 0;
+	$order_by = preg_replace('#[^a-zA-Z0-9_\-]#', '', ($_GET['order_by'] ?? 'device_label'));
+	$order = ($_GET['order'] ?? '') === 'desc' ? 'desc' : 'asc';
+	$fields = $_GET['fields'] ?? '';
+	$search = $_GET['search'] ?? '';
+	$show = $_GET['show'] ?? '';
+
+// Build the query string
+	$url_params = [];
+	if (!empty($page)) {
+		$url_params['page'] = $page;
+	}
+	if (!empty($_GET['order_by'])) {
+		$url_params['order_by'] = $order_by;
+	}
+	if (!empty($_GET['order'])) {
+		$url_params['order'] = $order;
+	}
+	if (!empty($fields)) {
+		$url_params['fields'] = $fields;
+	}
+	if (!empty($search)) {
+		$url_params['search'] = $search;
+	}
+	if (!empty($show) && $show == 'all' && permission_exists('device_all')) {
+		$url_params['show'] = $show;
+	}
+	$query_string = http_build_query($url_params);
+
 //process the http post data by action
 	if (!empty($action) && !empty($devices) && is_array($devices) && @sizeof($devices) != 0) {
 		switch ($action) {
@@ -71,18 +101,10 @@
 				break;
 		}
 
-		header('Location: devices.php'.(!empty($search) ? '?search='.urlencode($search).'&fields='.urlencode($fields) : null));
+		header('Location: devices.php'.($query_string ? '?'.$query_string : ''));
 		exit;
 	}
 
-//get order and order by and sanatize the values
-	$order_by = $_GET["order_by"] ?? '';
-	$order = $_GET["order"] ?? '';
-
-//get the search
-	$search = strtolower($_REQUEST["search"] ?? '');
-	$fields = strtolower($_REQUEST["fields"] ?? '');
-
 //get total devices count from the database
 	$sql = "select count(*) from v_devices ";
 	$sql .= "where domain_uuid = :domain_uuid ";
@@ -107,7 +129,7 @@
 
 //get the count
 	$sql = "select count(*) from v_devices as d ";
-	if (isset($_GET['show']) && $_GET['show'] == "all" && permission_exists('device_all')) {
+	if ($show == "all" && permission_exists('device_all')) {
 		if (!empty($search)) {
 			$sql .= "where ";
 		}
@@ -157,37 +179,16 @@
 			$sql .= "	) ";
 		}
 		$sql .= ") ";
-		$parameters['search'] = '%'.strtolower($search).'%';
+		$parameters['search'] = '%'.lower_case($search).'%';
 	}
 	$num_rows = $database->select($sql, $parameters ?? null, 'column');
 	unset($sql, $parameters);
 
 //prepare to page the results
 	$rows_per_page = intval($settings->get('domain', 'paging', 50));
-	$param = '';
-	if (!empty($search)) {
-		$param .= "&search=".$search;
-		$param .= !empty($fields) ? "&fields=".$fields : null;
-	}
-	if (!empty($_GET['show']) && $_GET['show'] == "all" && permission_exists('device_all')) {
-		$param .= "&show=all";
-	}
-	if (!empty($order_by)) {
-		$param .= "&order_by=".$order_by;
-	}
-	if (!empty($order)) {
-		$param .= "&order=".$order;
-	}
-	$page = !empty($_GET['page']) && is_numeric($_GET['page']) ? $_GET['page'] : 0;
-	list($paging_controls, $rows_per_page) = paging($num_rows, $param, $rows_per_page);
-	list($paging_controls_mini, $rows_per_page) = paging($num_rows, $param, $rows_per_page, true);
+	list($paging_controls, $rows_per_page) = paging($num_rows, $query_string, $rows_per_page);
+	list($paging_controls_mini, $rows_per_page) = paging($num_rows, $query_string, $rows_per_page, true);
 	$offset = $rows_per_page * $page;
-	if (!empty($order_by)) {
-		$param = str_replace("&order_by=".$order_by, '', $param);
-	}
-	if (!empty($order)) {
-		$param = str_replace("&order=".$order, '', $param);
-	}
 
 //set the time zone
 	$time_zone = $settings->get('domain', 'time_zone', date_default_timezone_get());
@@ -202,7 +203,7 @@
 
 //get the list
 	$sql = "select ";
-	if (isset($_GET['show']) && $_GET['show'] == "all" && permission_exists('device_all')) {
+	if ($show == "all" && permission_exists('device_all')) {
 		$sql .= "d3.domain_name, ";
 	}
 	$sql .= "d.device_uuid, ";
@@ -230,7 +231,7 @@
 	$sql .= "to_char(timezone(:time_zone, d.device_provisioned_date), 'DD Mon YYYY') as provisioned_date_formatted, \n";
 	$sql .= "to_char(timezone(:time_zone, d.device_provisioned_date), '".$time_format."') as provisioned_time_formatted \n";
 	$sql .= "from v_devices as d, v_devices as d2 ";
-	if (isset($_GET['show']) && $_GET['show'] == "all" && permission_exists('device_all')) {
+	if ($show == "all" && permission_exists('device_all')) {
 		$sql .= ", v_domains as d3 ";
 	}
 	$sql .= "where ( ";
@@ -240,7 +241,7 @@
 	$sql .= "		d.device_uuid = d2.device_uuid ";
 	$sql .= "	) ";
 	$sql .= ") ";
-	if (isset($_GET['show']) && $_GET['show'] == "all" && permission_exists('device_all')) {
+	if ($show == "all" && permission_exists('device_all')) {
 		$sql .= " and d.domain_uuid = d3.domain_uuid ";
 	}
 	else {
@@ -289,7 +290,7 @@
 			$sql .= "	) ";
 		}
 		$sql .= ") ";
-		$parameters['search'] = '%'.strtolower($search).'%';
+		$parameters['search'] = '%'.lower_case($search).'%';
 	}
 	if (empty($order_by)) {
 		$sql .= "order by d.device_label, d.device_description asc ";
@@ -350,17 +351,17 @@
 		echo button::create(['type'=>'button','label'=>$text['button-delete'],'icon'=>$settings->get('theme', 'button_icon_delete'),'id'=>'btn_delete','name'=>'btn_delete','style'=>'display: none; '.($margin_left ?? null),'onclick'=>"modal_open('modal-delete','btn_delete');"]);
 		unset($margin_left);
 	}
-	echo 		"<form id='form_search' class='inline' method='get'>\n";
-	if (permission_exists('device_all')) {
-		if (!empty($_GET['show']) && $_GET['show'] == 'all') {
-			echo "		<input type='hidden' name='show' value='all'>";
-		}
-		else {
-			echo button::create(['type'=>'button','label'=>$text['button-show_all'],'icon'=>$settings->get('theme','button_icon_all'),'link'=>'?show=all']);
+	echo "		<form id='form_search' class='inline' method='get'>\n";
+	foreach ($url_params as $key => $value) {
+		if ($key !== 'search' && $key !== 'page') {
+			echo "		<input type='hidden' name='".escape($key)."' value='".escape($value)."'>\n";
 		}
 	}
+	if ($show !== 'all' && permission_exists('voicemail_all')) {
+		echo button::create(['type'=>'button','label'=>$text['button-show_all'],'icon'=>$settings->get('theme','button_icon_all'),'link'=>'?show=all']);
+	}
 
-	echo 		"<select class='formfld' name='fields' id='select_fields' style='width: auto; margin-left: 15px;' onchange=\"if (document.getElementById('search').value != '') { this.form.submit(); }\">\n";
+	echo "		<select class='formfld' name='fields' id='select_fields' style='width: auto; margin-left: 15px;' onchange=\"if (document.getElementById('search').value != '') { this.form.submit(); }\">\n";
 	echo "			<option value='' selected='selected' disabled hidden>".$text['label-fields']."...</option>\n";
 	echo "			<option value=''></option>\n";
 	echo "			<option value=''>".$text['label-default']."</option>\n";
@@ -369,11 +370,11 @@
 	echo "			<option value='settings' ".($fields == 'settings' ? " selected='selected'" : null).">".$text['label-settings']."</option>\n";
 	echo "			<option value='all' ".($fields == 'all' ? " selected='selected'" : null).">".$text['label-all']."</option>\n";
 	echo "		</select>";
-	echo 		"<input type='text' class='txt list-search' name='search' id='search' style='margin-left: 0 !important;' value=\"".escape($search)."\" placeholder=\"".$text['label-search']."\" onkeydown=''>";
+	echo "		<input type='text' class='txt list-search' name='search' id='search' style='margin-left: 0 !important;' value=\"".escape($search)."\" placeholder=\"".$text['label-search']."\" onkeydown=''>";
 	echo button::create(['label'=>$text['button-search'],'icon'=>$settings->get('theme', 'button_icon_search'),'type'=>'submit','id'=>'btn_search']);
 	//echo button::create(['label'=>$text['button-reset'],'icon'=>$settings->get('theme', 'button_icon_reset'),'type'=>'button','id'=>'btn_reset','link'=>'devices.php','style'=>($search == '' ? 'display: none;' : null)]);
 	if (!empty($paging_controls_mini)) {
-		echo 	"<span style='margin-left: 15px;'>".$paging_controls_mini."</span>";
+		echo "	<span style='margin-left: 15px;'>".$paging_controls_mini."</span>";
 	}
 	echo "		</form>\n";
 	echo "	</div>\n";
@@ -392,8 +393,6 @@
 
 	echo "<form id='form_list' method='post'>\n";
 	echo "<input type='hidden' id='action' name='action' value=''>\n";
-	echo "<input type='hidden' name='search' value=\"".escape($search)."\">\n";
-	echo "<input type='hidden' name='fields' value=\"".escape($fields)."\">\n";
 
 	echo "<div class='card'>\n";
 	echo "<table class='list'>\n";
@@ -403,20 +402,20 @@
 		echo "		<input type='checkbox' id='checkbox_all' name='checkbox_all' onclick='list_all_toggle(); checkbox_on_change(this);' ".(empty($devices) ? "style='visibility: hidden;'" : null).">\n";
 		echo "	</th>\n";
 	}
-	if (!empty($_GET['show']) && $_GET['show'] == "all" && permission_exists('device_all')) {
-		echo th_order_by('domain_name', $text['label-domain'], $order_by, $order, null, null, $param);
+	if ($show == "all" && permission_exists('device_all')) {
+		echo th_order_by('domain_name', $text['label-domain'], $order_by, $order, null, null, $query_string);
 	}
-	echo th_order_by('device_address', $text['label-device_address'], $order_by, $order, null, null, $param);
-	echo th_order_by('device_label', $text['label-device_label'], $order_by, $order, null, null, $param);
+	echo th_order_by('device_address', $text['label-device_address'], $order_by, $order, null, null, $query_string);
+	echo th_order_by('device_label', $text['label-device_label'], $order_by, $order, null, null, $query_string);
 	if ($device_alternate) {
-		echo th_order_by('device_template', $text['label-device_uuid_alternate'], $order_by, $order, null, null, $param);
+		echo th_order_by('device_template', $text['label-device_uuid_alternate'], $order_by, $order, null, null, $query_string);
 	}
-	echo th_order_by('device_vendor', $text['label-device_vendor'], $order_by, $order, null, null, $param);
-	echo th_order_by('device_template', $text['label-device_template'], $order_by, $order, null, null, $param);
+	echo th_order_by('device_vendor', $text['label-device_vendor'], $order_by, $order, null, null, $query_string);
+	echo th_order_by('device_template', $text['label-device_template'], $order_by, $order, null, null, $query_string);
 	echo "<th>". $text['label-device_profiles']."</th>\n";
-	echo th_order_by('device_enabled', $text['label-device_enabled'], $order_by, $order, null, "class='center'", $param);
-	echo th_order_by('device_provisioned_date', $text['label-device_status'], $order_by, $order, null, null, $param);
-	echo th_order_by('device_description', $text['label-device_description'], $order_by, $order, null, "class='hide-sm-dn'", $param);
+	echo th_order_by('device_enabled', $text['label-device_enabled'], $order_by, $order, null, "class='center'", $query_string);
+	echo th_order_by('device_provisioned_date', $text['label-device_status'], $order_by, $order, null, null, $query_string);
+	echo th_order_by('device_description', $text['label-device_description'], $order_by, $order, null, "class='hide-sm-dn'", $query_string);
 	if (permission_exists('device_edit') && $settings->get('theme', 'list_row_edit_button', false)) {
 		echo "	<td class='action-button'>&nbsp;</td>\n";
 	}
@@ -435,7 +434,7 @@
 
 			$list_row_url = '';
 			if (permission_exists('device_edit')) {
-				$list_row_url = "device_edit.php?id=".urlencode($row['device_uuid']).(!empty($order_by) ? '&order_by='.$order_by.'&order='.$order : null).(is_numeric($page) ? '&page='.urlencode($page) : null).(!empty($search) ? '&search='.$search : null);
+				$list_row_url = "device_edit.php?id=".urlencode($row['device_uuid']).($query_string ? '&'.$query_string : '');
 				if ($row['domain_uuid'] != $_SESSION['domain_uuid'] && permission_exists('domain_select')) {
 					$list_row_url .= '&domain_uuid='.urlencode($row['domain_uuid']).'&domain_change=true';
 				}
@@ -458,7 +457,7 @@
 				echo "		<input type='hidden' name='devices[$x][uuid]' value='".escape($row['device_uuid'])."' />\n";
 				echo "	</td>\n";
 			}
-			if (!empty($_GET['show']) && $_GET['show'] == "all" && permission_exists('device_all')) {
+			if ($show == "all" && permission_exists('device_all')) {
 				echo "	<td>".escape($row['domain_name'])."</td>\n";
 			}
 			echo "	<td class='no-wrap'>";