ability.rb

class Ability
  include CanCan::Ability

  def initialize(user)    
    user ||= User.new
    
    p user
    
    if user.admin?
      can :manage, :all
    else
      can :read, :all
    end
  end
end

admin_access_spec.rb

require 'spec_helper'

describe "Admin access" do
  def sign_in(user)
    post new_user_session_path, :user => { :email => user.email, :password => user.password }
  end
  
  it "should be redirected to the login page if he is not authenticated yet" do
    get '/admin'    
    response.should redirect_to(new_user_session_path)
  end

  it "should redirect to the dashboard if the authenticated user is not an admin" do
    user = FactoryGirl.create(:user)
    sign_in user
    get '/admin'
    
    response.should redirect_to(dashboard_path)
  end
  
  it "should redirect to the dashboard if the authenticated user is not an admin" do
    user = FactoryGirl.create(:admin)
    sign_in user
    get '/admin'
    response.status.should be(200)
  end
end

application_controller.rb

class ApplicationController < ActionController::Base
  protect_from_forgery
        
  rescue_from CanCan::AccessDenied do |exception|
    if user_signed_in?
      flash[:error] = I18n.t('auth.message.access_denied')
      session[:user_return_to] = nil
      redirect_to main_app.dashboard_path
    else
      flash[:error] = I18n.t('auth.message.admin_login_required')
      session[:user_return_to] = request.fullpath
      redirect_to new_user_session_path
    end     
  end 
end