Guard report behind perms check

Not strictly necessary as we check anyway, but double security

src/registrar/views/report_views.py

@@ -174,11 +174,23 @@ class ExportMembersPortfolio(View):
 
     def get(self, request, *args, **kwargs):
         """Returns the members report"""
+        portfolio = request.session.get("portfolio")
+
+        # Check if the user has organization access
+        if not request.user.is_org_user(request):
+            return render(request, "403.html", status=403)
+        
+        # Check if the user has member permissions
+        if (
+            not request.user.has_view_members_portfolio_permission(portfolio)
+            and not request.user.has_edit_members_portfolio_permission(portfolio)
+        ):
+            return render(request, "403.html", status=403)
 
         # Swap the spaces for dashes to make the formatted name look prettier
         portfolio_display = "organization"
-        if request.session.get("portfolio"):
-            portfolio_display = str(request.session.get("portfolio")).lower().replace(" ", "-")
+        if portfolio:
+            portfolio_display = str(portfolio).lower().replace(" ", "-")
 
         response = HttpResponse(content_type="text/csv")
         response["Content-Disposition"] = f'attachment; filename="members-for-{portfolio_display}.csv"'