Add permission check

app/controllers/admin/product_preview_controller.rb

@@ -4,6 +4,7 @@ module Admin
   class ProductPreviewController < Spree::Admin::BaseController
     def show
       @product = Spree::Product.find(params[:id])
+      authorize! :show, @product
 
       respond_with do |format|
         format.turbo_stream {
@@ -11,5 +12,11 @@ module Admin
         }
       end
     end
+
+    private
+
+    def model_class
+      Spree::Product
+    end
   end
 end

spec/system/admin/products_v3/actions_spec.rb

@@ -481,7 +481,6 @@ RSpec.describe 'As an enterprise user, I can manage my products' do
       let!(:variant) { create(:variant, product:) }
 
       it "show product preview modal" do
-        login_as_admin
         visit admin_products_url
 
         within row_containing_name("Apples") do