diff --git a/rowers/rower_rules.py b/rowers/rower_rules.py
index 68529023..b7bb4164 100644
--- a/rowers/rower_rules.py
+++ b/rowers/rower_rules.py
@@ -440,6 +440,18 @@ WORKOUT permissions
 
 # check if user is owner or coach of owner of workout
 
+@rules.predicate
+def is_workout_owner(user, workout):
+    if user.is_anonymous:
+        return False
+
+    try:
+        r = user.rower
+    except AttributeError:  # pragma: no cover
+        return False
+
+    return workout.user.user == user
+
 
 @rules.predicate
 def is_workout_user(user, workout):
@@ -507,7 +519,7 @@ can_change_workout = is_workout_user
 rules.add_perm('workout.change_workout', can_change_workout)
 # replaces checkworkoutuserview
 rules.add_perm('workout.view_workout', can_view_workout)
-
+rules.add_perm('workout.is_owner', is_workout_owner)
 
 # checkviewworkouts
 
diff --git a/rowers/views/importviews.py b/rowers/views/importviews.py
index dd2cd567..ed6a3052 100644
--- a/rowers/views/importviews.py
+++ b/rowers/views/importviews.py
@@ -39,10 +39,15 @@ def default(o):  # pragma: no cover
     raise TypeError
 
 @login_required()
+@permission_required('workout.is_workout_owner', fn=get_user_by_userid, raise_exception=True)
 def workout_export_view(request, id=0, source='c2'):
-    r = getrower(request.user)
+    r = getrequestrower(request)
     w = get_workout_by_opaqueid(request, id)
-    integration = importsources[source](request.user)
+    if w.user != request.user:
+        messages.error(request, 'You can only export your own workouts')
+        url = reverse('workouts_view')
+        return HttpResponseRedirect(url)
+    integration = importsources[source](r.user)
     try:
         id = integration.workout_export(w)
     except NoTokenError: # pragma: no cover
diff --git a/rowers/views/statements.py b/rowers/views/statements.py
index e0b574a1..52589883 100644
--- a/rowers/views/statements.py
+++ b/rowers/views/statements.py
@@ -83,7 +83,7 @@ from rowers.rower_rules import (
     can_start_trial, can_start_plantrial, can_start_coachtrial,
     can_plan, is_workout_team,
     is_promember,user_is_basic, is_coachtrial, is_coach,
-    workout_is_strava
+    workout_is_strava, is_workout_owner
 )
 
 from django.shortcuts import render
diff --git a/rowers/views/workoutviews.py b/rowers/views/workoutviews.py
index b2ffab6e..f482d0d6 100644
--- a/rowers/views/workoutviews.py
+++ b/rowers/views/workoutviews.py
@@ -2068,7 +2068,7 @@ def workouts_bulk_actions(request):
                 if exportchoice.is_valid():
                     destination = exportchoice.cleaned_data['destination']
                     for w in workouts:
-                        integration = importsources[destination](request.user)
+                        integration = importsources[destination](r.user)
                         try:
                             id = integration.workout_export(w)
                             messages.info(request,