diff --git a/pages/ajax.document.php b/pages/ajax.document.php
index b73715bb2..df9cd2225 100644
--- a/pages/ajax.document.php
+++ b/pages/ajax.document.php
@@ -54,7 +54,7 @@ try
 	{
 		case 'download_document':
 			// Fixing security hole from bug N°1227, disabling by default attachment from legacy portal.
-			$sRequestedPortalId = ((MetaModel::GetConfig()->Get('disable_attachments_download_legacy_portal') === true) && ($sClass === 'Attachment')) ? 'backoffice' : null;
+			$sRequestedPortalId = (MetaModel::GetConfig()->Get('disable_attachments_download_legacy_portal') === true) ? 'backoffice' : null;
 			LoginWebPage::DoLoginEx($sRequestedPortalId, false);
 			$id = utils::ReadParam('id', '');
 			$sField = utils::ReadParam('field', '');
diff --git a/pages/ajax.render.php b/pages/ajax.render.php
index ce29048e3..7a91ee802 100644
--- a/pages/ajax.render.php
+++ b/pages/ajax.render.php
@@ -51,13 +51,26 @@ try
 	require_once(APPROOT.'/application/user.preferences.class.inc.php');
 
 	require_once(APPROOT.'/application/loginwebpage.class.inc.php');
-	LoginWebPage::DoLoginEx(null /* any portal */, false);
+	$operation = utils::ReadParam('operation', '');
+
+	// Only allow export functions to portal users
+	switch ($operation)
+	{
+		case 'export_build':
+		case 'export_cancel':
+		case 'export_download':
+			$sRequestedPortalId = null;
+			break;
+
+		default:
+			$sRequestedPortalId = (MetaModel::GetConfig()->Get('disable_attachments_download_legacy_portal') === true) ? 'backoffice' : null;
+	}
+	LoginWebPage::DoLoginEx($sRequestedPortalId, false);
 
 	$oPage = new ajax_page("");
 	$oPage->no_cache();
 
 
-	$operation = utils::ReadParam('operation', '');
 	$sFilter = utils::ReadParam('filter', '', false, 'raw_data');
 	$sEncoding = utils::ReadParam('encoding', 'serialize');
 	$sClass = utils::ReadParam('class', 'MissingAjaxParam', false, 'class');