diff --git a/app/controllers/spree/admin/base_controller.rb b/app/controllers/spree/admin/base_controller.rb
index 375512f3ba..7f3ad141f3 100644
--- a/app/controllers/spree/admin/base_controller.rb
+++ b/app/controllers/spree/admin/base_controller.rb
@@ -16,6 +16,7 @@ class BaseController < ApplicationController
       helper 'spree/currency'
       layout 'spree/layouts/admin'
 
+      before_action :ensure_can_read_admin_panel
       before_action :authorize_admin
       before_action :load_stores
 
@@ -37,6 +38,17 @@ def authorize_admin
         authorize! action, record
       end
 
+      def ensure_can_read_admin_panel
+        begin
+          authorize! :read, Spree::Admin
+        rescue CanCan::AccessDenied
+          redirect_to spree.admin_access_denied_path
+          false
+        else
+          true
+        end
+      end
+
       def redirect_unauthorized_access
         if try_spree_current_user
           flash[:error] = Spree.t(:authorization_failure)
diff --git a/app/controllers/spree/admin/errors_controller.rb b/app/controllers/spree/admin/errors_controller.rb
index 1182704050..d3bd6a396b 100644
--- a/app/controllers/spree/admin/errors_controller.rb
+++ b/app/controllers/spree/admin/errors_controller.rb
@@ -2,9 +2,14 @@ module Spree
   module Admin
     class ErrorsController < BaseController
       skip_before_action :authorize_admin
+      skip_before_action :ensure_can_read_admin_panel
 
       def forbidden
-        render status: 403
+        render status: 403 if ensure_can_read_admin_panel
+      end
+
+      def access_denied
+        render status: 403, layout: nil
       end
     end
   end
diff --git a/app/views/spree/admin/errors/access_denied.html.erb b/app/views/spree/admin/errors/access_denied.html.erb
new file mode 100644
index 0000000000..8b13789179
--- /dev/null
+++ b/app/views/spree/admin/errors/access_denied.html.erb
@@ -0,0 +1 @@
+
diff --git a/config/routes.rb b/config/routes.rb
index e1facaf504..db32e2d7ac 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -220,6 +220,7 @@
     resources :webhooks_subscribers
 
     get '/forbidden', to: 'errors#forbidden', as: :forbidden
+    get '/access-denied', to: 'errors#access_denied', as: :access_denied
     resource :dashboard, controller: 'dashboard'
 
     root to: 'dashboard#show'