Due to high sensitivity of the information provided on preflight page it’s highly advisable to limit access to it.
By default only registered users which have access to Django admin can see that page and all the rest will get a 404 error page.
But if this is not enough or if you need some other way of assesing the access right you can provide your own code.
Each preflight class can have an authenticate(self, request) method which gets a request object and returns True if given request is authorized to access that page. Otherwise the 404 error code will be returned.
As you may have noticed, the authenticate method is supplied for each application and not for whole project. This brings the question what would happen if two or more applications contain authenticate method?
In that case, given request must have be approved by all the authentication methods before the page is displayed. It’s enough for just one to veto the access. This means, that you can only tighten up the security when adding new preflight classes, never loosen it up.
Below is quick example of implementing very simple way of authorization schema. This particular one only allows one user to access this page:
import preflight
class AppPreflight(preflight.Preflight):
def authenticate(self, request):
if request.user.username == 'blackknight':
return True
preflight.register(AppPreflight)