diff --git a/app/models/spree/ability_decorator.rb b/app/models/spree/ability_decorator.rb
index 6c59887730..370b219eff 100644
--- a/app/models/spree/ability_decorator.rb
+++ b/app/models/spree/ability_decorator.rb
@@ -78,9 +78,15 @@ class AbilityDecorator
     end
 
     can [:admin, :index, :read, :update, :bulk_update], VariantOverride do |vo|
-      OpenFoodNetwork::Permissions.new(user).
+      hub_auth = OpenFoodNetwork::Permissions.new(user).
         order_cycle_enterprises.is_distributor.
         include? vo.hub
+
+      producer_auth = OpenFoodNetwork::Permissions.new(user).
+        variant_override_producers.
+        include? vo.variant.product.supplier
+
+      hub_auth && producer_auth
     end
 
     can [:admin, :index, :read, :create, :edit, :update_positions, :destroy], Spree::ProductProperty
diff --git a/spec/models/spree/ability_spec.rb b/spec/models/spree/ability_spec.rb
index aac9945c57..4ffcc0e3fd 100644
--- a/spec/models/spree/ability_spec.rb
+++ b/spec/models/spree/ability_spec.rb
@@ -239,9 +239,6 @@ module Spree
           o
         end
 
-        let(:vo1) { create(:variant_override, hub: d1, variant: p1.master) }
-        let(:vo2) { create(:variant_override, hub: d2, variant: p2.master) }
-
         describe "editing enterprises" do
           let!(:d_related) { create(:distributor_enterprise) }
           let!(:er_pd) { create(:enterprise_relationship, parent: d_related, child: d1, permissions_list: [:edit_profile]) }
@@ -264,6 +261,13 @@ module Spree
         end
 
         describe "variant overrides" do
+          let(:vo1) { create(:variant_override, hub: d1, variant: p1.master) }
+          let(:vo2) { create(:variant_override, hub: d1, variant: p2.master) }
+          let(:vo3) { create(:variant_override, hub: d2, variant: p1.master) }
+          let(:vo4) { create(:variant_override, hub: d2, variant: p2.master) }
+
+          let!(:er1) { create(:enterprise_relationship, parent: s1, child: d1, permissions_list: [:create_variant_overrides]) }
+
           it "should be able to access variant overrides page" do
             should have_ability([:admin, :index, :bulk_update], for: VariantOverride)
           end
@@ -272,9 +276,17 @@ module Spree
             should have_ability([:admin, :index, :read, :update], for: vo1)
           end
 
-          it "should not be able to read/write other enterprises' variant overrides" do
+          it "should not be able to read/write variant overrides when producer of product hasn't granted permission" do
             should_not have_ability([:admin, :index, :read, :update], for: vo2)
           end
+
+          it "should not be able to read/write variant overrides when we can't add hub to order cycle" do
+            should_not have_ability([:admin, :index, :read, :update], for: vo3)
+          end
+
+          it "should not be able to read/write other enterprises' variant overrides" do
+            should_not have_ability([:admin, :index, :read, :update], for: vo4)
+          end
         end
 
         it "should be able to read/write their enterprises' orders" do