Portfolio export needs to verify access control, the easiest way is to use require_login() with correct $cm parameter - replicating the logic from require_login() would be probably a major maintenance problem...
Sample exploit:
1/ go to forum in one browser and copy "Save..." link
2/ make module hidden in another browser as where you are logged in as admin
3/ paste the url in first browser - export will complete anyway