Only admin and users of distributors can access admin orders

app/controllers/spree/admin/overview_controller_decorator.rb

@@ -0,0 +1,13 @@
+module Spree
+  module Admin
+    class OverviewController < Spree::Admin::BaseController
+      def index
+        if current_spree_user.admin? || current_spree_user.enterprises.any?{ |e| e.is_distributor? }
+          redirect_to admin_orders_path
+        elsif current_spree_user.enterprises.any?{ |e| e.is_primary_producer? }
+          redirect_to bulk_edit_admin_products_path
+        end
+      end
+    end
+  end
+end

app/models/spree/ability_decorator.rb

@@ -8,6 +8,8 @@ class AbilityDecorator
       # when searching for variants to add to the order
       can [:create, :search, :bulk_update], nil
 
+      can [:admin, :index], :overview
+
       # Enterprise User can only access products that they are a supplier for
       can [:create], Spree::Product
       can [:admin, :read, :update, :product_distributions, :bulk_edit, :bulk_update, :clone, :destroy], Spree::Product  do |product|
@@ -23,11 +25,12 @@ class AbilityDecorator
 
       # Enterprise User can only access orders that they are a distributor for
       can [:index, :create], Spree::Order
-      can [:admin, :read, :update, :bulk_management, :fire, :resend], Spree::Order do |order|
+      can [:read, :update, :bulk_management, :fire, :resend], Spree::Order do |order|
         # We allow editing orders with a nil distributor as this state occurs
         # during the order creation process from the admin backend
         order.distributor.nil? || user.enterprises.include?(order.distributor)
       end
+      can [:admin], Spree::Order if user.admin? || user.enterprises.any?{ |e| e.is_distributor? }
       can [:admin, :create], Spree::LineItem
 
       can [:admin, :index, :read, :create, :edit, :update, :fire], Spree::Payment

config/routes.rb

@@ -93,6 +93,7 @@ Spree::Core::Engine.routes.prepend do
   match '/admin/orders/bulk_management' => 'admin/orders#bulk_management', :as => "admin_bulk_order_management"
   match '/admin/reports/products_and_inventory' => 'admin/reports#products_and_inventory', :as => "products_and_inventory_admin_reports",  :via  => [:get, :post]
   match '/admin/reports/customers' => 'admin/reports#customers', :as => "customers_admin_reports",  :via  => [:get, :post]
+  match '/admin', :to => 'admin/overview#index', :as => :admin
 
 
   namespace :api, :defaults => { :format => 'json' } do

spec/features/admin/cms_spec.rb

@@ -16,7 +16,7 @@ feature %q{
     page.should have_content "ComfortableMexicanSofa"
 
     click_link 'Spree Admin'
-    current_path.should == spree.admin_path
+    current_path.should == spree.admin_orders_path
   end
 
   scenario "anonymous user can't access CMS admin" do

spec/features/admin/enterprise_user_spec.rb

@@ -71,7 +71,7 @@ feature %q{
       end
 
       scenario "manage products that I supply" do
-        visit 'admin/products'
+        visit '/admin/products'
 
         within '#listing_products' do
           page.should have_content 'Green eggs'
@@ -90,12 +90,12 @@ feature %q{
     end
 
     scenario "should not be able to see system configuration" do
-      visit 'admin/general_settings/edit'
+      visit '/admin/general_settings/edit'
       page.should have_content 'Authorization Failure'
     end
 
     scenario "should not be able to see user management" do
-      visit 'admin/users'
+      visit '/admin/users'
       page.should have_content 'Authorization Failure'
     end
   end

spec/models/spree/ability_spec.rb

@@ -39,6 +39,10 @@ module Spree
           should_not have_ability([:admin, :read, :update, :product_distributions, :bulk_edit, :bulk_update, :clone, :destroy], for: p2)
         end
 
+        it "should not be able to access admin actions on orders" do
+          should_not have_ability([:admin], for: Spree::Order)
+        end
+
         it "should be able to create a new product" do
           should have_ability(:create, for: Spree::Product)
         end