From b791daf10cbeeaf82c19e6caa036e00fcc7897db Mon Sep 17 00:00:00 2001
From: zandercymatics <141044360+zandercymatics@users.noreply.github.com>
Date: Wed, 20 Nov 2024 10:04:24 -0700
Subject: [PATCH] Guard report behind perms check

Not strictly necessary as we check anyway, but double security
---
 src/registrar/views/report_views.py | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/registrar/views/report_views.py b/src/registrar/views/report_views.py
index cff177d6d..56867216e 100644
--- a/src/registrar/views/report_views.py
+++ b/src/registrar/views/report_views.py
@@ -174,11 +174,23 @@ class ExportMembersPortfolio(View):
 
     def get(self, request, *args, **kwargs):
         """Returns the members report"""
+        portfolio = request.session.get("portfolio")
+
+        # Check if the user has organization access
+        if not request.user.is_org_user(request):
+            return render(request, "403.html", status=403)
+        
+        # Check if the user has member permissions
+        if (
+            not request.user.has_view_members_portfolio_permission(portfolio)
+            and not request.user.has_edit_members_portfolio_permission(portfolio)
+        ):
+            return render(request, "403.html", status=403)
 
         # Swap the spaces for dashes to make the formatted name look prettier
         portfolio_display = "organization"
-        if request.session.get("portfolio"):
-            portfolio_display = str(request.session.get("portfolio")).lower().replace(" ", "-")
+        if portfolio:
+            portfolio_display = str(portfolio).lower().replace(" ", "-")
 
         response = HttpResponse(content_type="text/csv")
         response["Content-Disposition"] = f'attachment; filename="members-for-{portfolio_display}.csv"'