diff --git a/docs/extending/adding_reports.md b/docs/extending/adding_reports.md
index 53dd52ff437..25102ebd935 100644
--- a/docs/extending/adding_reports.md
+++ b/docs/extending/adding_reports.md
@@ -178,15 +178,28 @@ def register_unpublished_changes_report_url():
 
 Here, we use the `AdminOnlyMenuItem` class to ensure our report icon is only shown to superusers. To make the report visible to all users, you could replace this with `MenuItem`.
 
+## Setting up permission restriction
+
+Even with the menu item hidden, it would still be possible for any user to visit the report's URL directly, and so it is necessary to set up a permission restriction on the report view itself. This can be done by adding a `dispatch` method to the existing `UnpublishedChangesReportView` view:
+
+```python
+
+    # add the below dispatch method to the existing UnpublishedChangesReportView view
+    def dispatch(self, request, *args, **kwargs):
+        if not self.request.user.is_superuser:
+            return permission_denied(request)
+        return super().dispatch(request, *args, **kwargs)
+```
+
 ## The full code
 
 ```python
 # <project>/views.py
 
+from wagtail.admin.auth import permission_denied
 from wagtail.admin.views.reports import PageReportView
 from wagtail.models import Page
 
-
 class UnpublishedChangesReportView(PageReportView):
 
     header_icon = 'doc-empty-inverse'
@@ -198,6 +211,11 @@ class UnpublishedChangesReportView(PageReportView):
 
     def get_queryset(self):
         return Page.objects.filter(has_unpublished_changes=True)
+
+    def dispatch(self, request, *args, **kwargs):
+        if not self.request.user.is_superuser:
+            return permission_denied(request)
+        return super().dispatch(request, *args, **kwargs)
 ```
 
 ```python