Fix for potential security issue, if the main list query errors out, …

…we currently then show the affected query, which reveals table names. We now only append the broken query msg if in debug mode (so either Fabrik debug mode is enabled, or J! global debug)

plugins/fabrik_visualization/fullcalendar/models/fullcalendar.php

@@ -339,23 +339,20 @@ public function getCanAdd()
 	{
 		if (!isset($this->canAdd))
 		{
-			$params = $this->getParams();
-			$lists = (array) $params->get('fullcalendar_table');
+			$params       = $this->getParams();
+			$lists        = (array) $params->get('fullcalendar_table');
+			$this->canAdd = false;
 
 			foreach ($lists as $id)
 			{
 				$listModel = JModelLegacy::getInstance('list', 'FabrikFEModel');
 				$listModel->setId($id);
 
-				if (!$listModel->canAdd())
+				if ($listModel->canAdd())
 				{
-					$this->canAdd = false;
-
-					return false;
+					$this->canAdd = true;
 				}
 			}
-
-			$this->canAdd = true;
 		}
 
 		return $this->canAdd;

plugins/fabrik_visualization/fullcalendar/views/fullcalendar/view.partial.php

@@ -36,6 +36,16 @@ public function chooseAddEvent()
 		$usersConfig = JComponentHelper::getParams('com_fabrik');
 		$model->setId($input->getInt('id', $usersConfig->get('visualizationid', $input->getInt('visualizationid', 0))));
 		$rows = $model->getEventLists();
+
+		foreach ($rows as $rowkey => $row) {
+			$listModel = JModelLegacy::getInstance('List', 'FabrikFEModel');
+			$listModel->setId($row->value);
+			if (!$listModel->canAdd())
+			{
+				unset($rows[$rowkey]);
+			}
+		}
+
 		$model->getVisualization();
 		$options   = array();
 		$options[] = JHTML::_('select.option', '', FText::_('PLG_VISUALIZATION_FULLCALENDAR_PLEASE_SELECT'));