diff --git a/src/db/operations/admins.rs b/src/db/operations/admins.rs
index a32734a..f37b1e4 100644
--- a/src/db/operations/admins.rs
+++ b/src/db/operations/admins.rs
@@ -21,11 +21,12 @@ pub async fn add_admin(
     profile: Profile,
 ) -> Result<(), Error> {
     let group_name_f = group_name.to_owned();
-    HOST_IS_GROUP_ADMIN.run(&RuleContext::minimal(
+    CAN_ADD_CURATOR.run(&RuleContext::minimal_with_member_uuid(
         pool,
         scope_and_user,
         &group_name,
         &host.user_uuid,
+        &user.user_uuid,
     ))?;
     let connection = pool.get()?;
     internal::admin::add_admin(&connection, &group_name, host, user)?;
diff --git a/src/rules/engine.rs b/src/rules/engine.rs
index 5b14f2c..f4f13b4 100644
--- a/src/rules/engine.rs
+++ b/src/rules/engine.rs
@@ -16,7 +16,7 @@ pub const SEARCH_USERS: Engine = Engine {
 };
 
 pub const INVITE_MEMBER: Engine = Engine {
-    rules: &[&rule_host_can_invite, &user_can_join, &user_not_a_member],
+    rules: &[&rule_host_can_invite, &member_can_join, &user_not_a_member],
 };
 
 pub const RENEW_MEMBER: Engine = Engine {
@@ -31,6 +31,10 @@ pub const EDIT_TERMS: Engine = Engine {
     rules: &[&rule_host_can_edit_terms],
 };
 
+pub const CAN_ADD_CURATOR: Engine = Engine {
+    rules: &[&rule_host_is_curator, &member_is_ndaed],
+};
+
 pub const HOST_IS_CURATOR: Engine = Engine {
     rules: &[&rule_host_is_curator],
 };
diff --git a/src/rules/functions.rs b/src/rules/functions.rs
index 10faf4a..e8d1604 100644
--- a/src/rules/functions.rs
+++ b/src/rules/functions.rs
@@ -72,8 +72,22 @@ pub fn user_not_a_member(ctx: &RuleContext) -> Result<(), RuleError> {
     }
 }
 
+/// Check if the member is nda'd
+pub fn member_is_ndaed(ctx: &RuleContext) -> Result<(), RuleError> {
+    let connection = ctx.pool.get().map_err(|_| RuleError::PoolError)?;
+    let trust = internal::user::user_trust(
+        &connection,
+        ctx.member_uuid.ok_or(RuleError::InvalidRuleContext)?,
+    )
+    .map_err(|_| RuleError::UserNotFound)?;
+    if trust >= TrustType::Ndaed {
+        return Ok(());
+    }
+    Err(RuleError::NotAllowedToJoinGroup)
+}
+
 /// Check if the user is nda'd or the group is the nda group
-pub fn user_can_join(ctx: &RuleContext) -> Result<(), RuleError> {
+pub fn member_can_join(ctx: &RuleContext) -> Result<(), RuleError> {
     let connection = ctx.pool.get().map_err(|_| RuleError::PoolError)?;
     let trust = internal::user::user_trust(
         &connection,