=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserAuthorityGroup.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserAuthorityGroup.java	2014-12-04 07:23:16 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserAuthorityGroup.java	2014-12-19 10:38:55 +0000
@@ -34,6 +34,9 @@
 import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper;
 import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty;
 import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlRootElement;
+import com.google.common.collect.Sets;
+
+import org.apache.commons.collections.CollectionUtils;
 import org.hisp.dhis.common.BaseIdentifiableObject;
 import org.hisp.dhis.common.DxfNamespaces;
 import org.hisp.dhis.common.IdentifiableObject;
@@ -99,6 +102,11 @@
     {
         return authorities != null && authorities.contains( AUTHORITY_ALL );
     }
+    
+    public boolean hasCriticalAuthorities()
+    {
+        return authorities != null && CollectionUtils.containsAny( authorities, Sets.newHashSet( CRITICAL_AUTHS ) );
+    }
 
     // -------------------------------------------------------------------------
     // Getters and setters

=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserService.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserService.java	2014-10-01 13:56:33 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserService.java	2014-12-19 10:38:55 +0000
@@ -341,6 +341,14 @@
      * @return a Collection of UserAuthorityGroups.
      */
     Collection<UserAuthorityGroup> getAllUserAuthorityGroups();
+    
+    /**
+     * Retrieves UserAuthorityGroups with the given UIDs.
+     * 
+     * @param uids the UIDs.
+     * @return a List of UserAuthorityGroups.
+     */
+    List<UserAuthorityGroup> getUserRolesByUid( Collection<String> uids );
 
     /**
      * Retrieves all UserAuthorityGroups.

=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java	2014-11-24 14:15:14 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java	2014-12-19 10:38:55 +0000
@@ -154,25 +154,25 @@
     {
         if ( !systemSettingManager.emailEnabled() )
         {
-            log.info( "Could not send restore/invite message as email is not configured" );
+            log.warn( "Could not send restore/invite message as email is not configured" );
             return "email_not_configured_for_system";
         }
 
         if ( credentials == null || credentials.getUser() == null )
         {
-            log.info( "Could not send restore/invite message as user does not exist: " + credentials );
+            log.warn( "Could not send restore/invite message as user does not exist: " + credentials );
             return "no_user_credentials";
         }
 
         if ( credentials.getUser().getEmail() == null || !ValidationUtils.emailIsValid( credentials.getUser().getEmail() ) )
         {
-            log.info( "Could not send restore/invite message as user has no email or email is invalid" );
+            log.warn( "Could not send restore/invite message as user has no email or email is invalid" );
             return "user_does_not_have_valid_email";
         }
 
         if ( credentials.hasAnyAuthority( Arrays.asList( UserAuthorityGroup.CRITICAL_AUTHS ) ) )
         {
-            log.info( "Not allowed to restore/invite users with critical authorities" );
+            log.warn( "Not allowed to restore/invite users with critical authorities" );
             return "user_has_critical_authorities";
         }
 

=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/user/DefaultUserService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/user/DefaultUserService.java	2014-11-24 18:14:38 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/user/DefaultUserService.java	2014-12-19 10:38:55 +0000
@@ -52,7 +52,6 @@
 import org.hisp.dhis.dataset.DataSet;
 import org.hisp.dhis.organisationunit.OrganisationUnit;
 import org.hisp.dhis.period.PeriodType;
-import org.hisp.dhis.security.SecurityService;
 import org.hisp.dhis.setting.SystemSettingManager;
 import org.hisp.dhis.system.filter.UserAuthorityGroupCanIssueFilter;
 import org.hisp.dhis.system.util.DateUtils;
@@ -115,13 +114,6 @@
         this.categoryService = categoryService;
     }
     
-    private SecurityService securityService;
-    
-    public void setSecurityService( SecurityService securityService )
-    {
-        this.securityService = securityService;
-    }
-
     private SystemSettingManager systemSettingManager;
 
     public void setSystemSettingManager( SystemSettingManager systemSettingManager )
@@ -445,6 +437,12 @@
     }
 
     @Override
+    public List<UserAuthorityGroup> getUserRolesByUid( Collection<String> uids )
+    {
+        return userAuthorityGroupStore.getByUid( uids );
+    }
+
+    @Override
     public Collection<UserAuthorityGroup> getUserRolesBetween( int first, int max )
     {
         return userAuthorityGroupStore.getAllOrderedName( first, max );

=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/beans.xml'
--- dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/beans.xml	2014-12-07 12:20:58 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/beans.xml	2014-12-19 10:38:55 +0000
@@ -595,7 +595,6 @@
     <property name="userSettingStore" ref="org.hisp.dhis.user.UserSettingStore" />
     <property name="currentUserService" ref="org.hisp.dhis.user.CurrentUserService" />
     <property name="categoryService" ref="org.hisp.dhis.dataelement.DataElementCategoryService" />
-    <property name="securityService" ref="org.hisp.dhis.security.SecurityService" />
     <property name="systemSettingManager" ref="org.hisp.dhis.setting.SystemSettingManager" />
   </bean>
 

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java	2014-12-18 20:59:57 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java	2014-12-19 10:38:55 +0000
@@ -28,6 +28,8 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+import static org.hisp.dhis.common.IdentifiableObjectUtils.getUids;
+
 import java.io.InputStream;
 import java.util.ArrayList;
 import java.util.List;
@@ -48,6 +50,7 @@
 import org.hisp.dhis.security.SecurityService;
 import org.hisp.dhis.setting.SystemSettingManager;
 import org.hisp.dhis.user.User;
+import org.hisp.dhis.user.UserAuthorityGroup;
 import org.hisp.dhis.user.UserCredentials;
 import org.hisp.dhis.user.UserGroup;
 import org.hisp.dhis.user.UserGroupService;
@@ -95,10 +98,10 @@
 
     @Autowired
     private SystemSettingManager systemSettingManager;
-
-    //--------------------------------------------------------------------------
+    
+    // -------------------------------------------------------------------------
     // GET
-    //--------------------------------------------------------------------------
+    // -------------------------------------------------------------------------
 
     @Override
     @PreAuthorize( "hasRole('ALL') or hasRole('F_USER_VIEW')" )
@@ -159,9 +162,9 @@
         return users;
     }
 
-    //--------------------------------------------------------------------------
+    // -------------------------------------------------------------------------
     // POST
-    //--------------------------------------------------------------------------
+    // -------------------------------------------------------------------------
 
     @Override
     @RequestMapping( method = RequestMethod.POST, consumes = { "application/xml", "text/xml" } )
@@ -219,9 +222,9 @@
         }
     }
 
-    //--------------------------------------------------------------------------
+    // -------------------------------------------------------------------------
     // PUT
-    //--------------------------------------------------------------------------
+    // -------------------------------------------------------------------------
 
     @Override
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, consumes = { "application/xml", "text/xml" } )
@@ -277,9 +280,9 @@
         renderService.toJson( response.getOutputStream(), summary );
     }
 
-    //--------------------------------------------------------------------------
+    // -------------------------------------------------------------------------
     // Supportive methods
-    //--------------------------------------------------------------------------
+    // -------------------------------------------------------------------------
 
     /**
      * Creates a user invitation and invites the user
@@ -290,12 +293,46 @@
      */
     private void inviteUser( User user, HttpServletRequest request, HttpServletResponse response ) throws Exception
     {
+        UserCredentials credentials = user.getUserCredentials();
+
+        // ---------------------------------------------------------------------
+        // Validation
+        // ---------------------------------------------------------------------
+
+        if ( credentials == null )
+        {
+            ContextUtils.conflictResponse( response, "User credentials is not present" );
+            return;
+        }
+        
+        credentials.setUser( user );
+        
+        List<UserAuthorityGroup> userRoles = userService.getUserRolesByUid( getUids( credentials.getUserAuthorityGroups() ) );
+
+        for ( UserAuthorityGroup role : userRoles )
+        {
+            if ( role != null && role.hasCriticalAuthorities() )
+            {
+                ContextUtils.conflictResponse( response, "User cannot be invited with user role which has critical authorities: " + role );
+                return;
+            }
+        }
+        
+        String valid = securityService.validateRestore( user.getUserCredentials() );
+        
+        if ( valid != null )
+        {
+            ContextUtils.conflictResponse( response, valid );
+            return;
+        }
+
+        // ---------------------------------------------------------------------
+        // Prepare, create and invite user
+        // ---------------------------------------------------------------------
+
         RestoreOptions restoreOptions = user.getUsername() == null || user.getUsername().isEmpty() ?
             RestoreOptions.INVITE_WITH_USERNAME_CHOICE : RestoreOptions.INVITE_WITH_DEFINED_USERNAME;
 
-        UserCredentials credentials = user.getUserCredentials();
-        credentials.setUser( user );
-        
         securityService.prepareUserForInvite( user );
 
         createUser( user, response );