fix(member-export): forbid request without actor instead of falling through

The nil-actor guard used a one-armed if and continued into the export path regardless. The CheckPagePermission plug already halts unauthenticated requests before this controller runs, so the corrected early return preserves observable behavior while removing the dead fall-through. The export action is split into per-payload clauses so the guard reads as a flat early return.

lib/mv_web/controllers/member_export_controller.ex

@@ -25,29 +25,31 @@ defmodule MvWeb.MemberExportController do
   @custom_field_prefix Mv.Constants.custom_field_prefix()
 
   def export(conn, params) do
-    actor = current_actor(conn)
-    if is_nil(actor), do: return_forbidden(conn)
+    case current_actor(conn) do
+      nil -> return_forbidden(conn)
+      actor -> export_with_actor(conn, actor, params["payload"])
+    end
+  end
 
-    case params["payload"] do
-      nil ->
-        conn
-        |> put_status(400)
-        |> put_resp_content_type("application/json")
-        |> json(%{error: "payload required"})
-
-      payload when is_binary(payload) ->
+  defp export_with_actor(conn, actor, payload) when is_binary(payload) do
     case Jason.decode(payload) do
       {:ok, decoded} when is_map(decoded) ->
-            parsed = parse_and_validate(decoded)
-            run_export(conn, actor, parsed)
+        run_export(conn, actor, parse_and_validate(decoded))
 
       _ ->
+        json_error(conn, "invalid JSON")
+    end
+  end
+
+  defp export_with_actor(conn, _actor, _payload) do
+    json_error(conn, "payload required")
+  end
+
+  defp json_error(conn, message) do
     conn
     |> put_status(400)
     |> put_resp_content_type("application/json")
-            |> json(%{error: "invalid JSON"})
-        end
-    end
+    |> json(%{error: message})
   end
 
   defp current_actor(conn) do