diff --git a/app/controllers/teams_controller.rb b/app/controllers/teams_controller.rb
index f31d9aa04..3fc3d4c90 100644
--- a/app/controllers/teams_controller.rb
+++ b/app/controllers/teams_controller.rb
@@ -1,9 +1,11 @@
 class TeamsController < ApplicationController
-  before_action :load_vars, only: [:parse_sheet, :import_samples, :export_samples]
+  before_action :load_vars, only: [:parse_sheet, :import_samples, :export_samples
+                                   :export_all]
 
   before_action :check_create_samples_permissions, only: %i(parse_sheet
                                                             import_samples)
   before_action :check_view_samples_permission, only: [:export_samples]
+  before_action :check_export_all_permission, only: [:export_all]
 
   def parse_sheet
     session[:return_to] ||= request.referer
@@ -278,6 +280,17 @@ class TeamsController < ApplicationController
     end
   end
 
+  def check_export_all_permission
+    render_403 unless can_read_team?(@team)
+
+    if export_params[:project_ids]
+      projects = Project.where(id: export_params[:project_ids])
+      projects.each do |project|
+        render_403 unless can_read_project(current_user, project)
+      end
+    end
+  end
+
   def generate_samples_zip
     zip = ZipExport.create(user: current_user)
     zip.generate_exportable_zip(