diff --git a/apps/note/api/serializers.py b/apps/note/api/serializers.py
index 02311de104b6be89f6e4d4d702fb46c80fd72123..4d8be07fb220b25a4f2d8d6f149915bbac098664 100644
--- a/apps/note/api/serializers.py
+++ b/apps/note/api/serializers.py
@@ -4,6 +4,7 @@
 from rest_framework import serializers
 from rest_polymorphic.serializers import PolymorphicSerializer
 
+from logs.middlewares import get_current_authenticated_user
 from ..models.notes import Note, NoteClub, NoteSpecial, NoteUser, Alias
 from ..models.transactions import TransactionTemplate, Transaction, MembershipTransaction, TemplateCategory, \
     TemplateTransaction, SpecialTransaction
@@ -77,7 +78,10 @@ class AliasSerializer(serializers.ModelSerializer):
         fields = '__all__'
 
     def get_note(self, alias):
-        return NotePolymorphicSerializer().to_representation(alias.note)
+        if get_current_authenticated_user().has_perm("note.view_note", alias.note):
+            return NotePolymorphicSerializer().to_representation(alias.note)
+        else:
+            return alias.note.id
 
 
 class NotePolymorphicSerializer(PolymorphicSerializer):
diff --git a/apps/note/api/views.py b/apps/note/api/views.py
index a4fe6fc19ed9afe7ada81b8258bcb50436262904..caa77132cb4a39b5be37c7311b04ebf812f874d7 100644
--- a/apps/note/api/views.py
+++ b/apps/note/api/views.py
@@ -75,20 +75,7 @@ class NotePolymorphicViewSet(ReadProtectedModelViewSet):
 
         alias = self.request.query_params.get("alias", ".*")
         queryset = queryset.filter(
-            Q(alias__name__regex="^" + alias)
-            | Q(alias__normalized_name__regex="^" + alias.lower()))
-
-        note_type = self.request.query_params.get("type", None)
-        if note_type:
-            types = str(note_type).lower()
-            if "user" in types:
-                queryset = queryset.filter(polymorphic_ctype__model="noteuser")
-            elif "club" in types:
-                queryset = queryset.filter(polymorphic_ctype__model="noteclub")
-            elif "special" in types:
-                queryset = queryset.filter(polymorphic_ctype__model="notespecial")
-            else:
-                queryset = queryset.none()
+            Q(alias__name__regex="^" + alias) | Q(alias__normalized_name__regex="^" + alias.lower()))
 
         return queryset.distinct()
 
@@ -117,25 +104,6 @@ class AliasViewSet(ReadProtectedModelViewSet):
         queryset = queryset.filter(
             Q(name__regex="^" + alias) | Q(normalized_name__regex="^" + alias.lower()))
 
-        note_id = self.request.query_params.get("note", None)
-        if note_id:
-            queryset = queryset.filter(id=note_id)
-
-        note_type = self.request.query_params.get("type", None)
-        if note_type:
-            types = str(note_type).lower()
-            if "user" in types:
-                queryset = queryset.filter(
-                    note__polymorphic_ctype__model="noteuser")
-            elif "club" in types:
-                queryset = queryset.filter(
-                    note__polymorphic_ctype__model="noteclub")
-            elif "special" in types:
-                queryset = queryset.filter(
-                    note__polymorphic_ctype__model="notespecial")
-            else:
-                queryset = queryset.none()
-
         return queryset
 
 
diff --git a/apps/permission/templatetags/perms.py b/apps/permission/templatetags/perms.py
index 9b5ff93abff4c49940b639bdb6ee7d0b91b2590c..460bf9a6a304f7626da4629150e070dd9aa880bc 100644
--- a/apps/permission/templatetags/perms.py
+++ b/apps/permission/templatetags/perms.py
@@ -17,7 +17,9 @@ def has_perm(value):
 @stringfilter
 def not_empty_model_list(model_name):
     user = get_current_authenticated_user()
-    if user.is_superuser:
+    if user is None:
+        return False
+    elif user.is_superuser:
         return True
     spl = model_name.split(".")
     ct = ContentType.objects.get(app_label=spl[0], model=spl[1])
@@ -28,7 +30,9 @@ def not_empty_model_list(model_name):
 @stringfilter
 def not_empty_model_change_list(model_name):
     user = get_current_authenticated_user()
-    if user.is_superuser:
+    if user is None:
+        return False
+    elif user.is_superuser:
         return True
     spl = model_name.split(".")
     ct = ContentType.objects.get(app_label=spl[0], model=spl[1])
diff --git a/static/js/base.js b/static/js/base.js
index 2362375bf7c6f89fc7995f5764f47f7ef9113003..7a733df334c7532db9dcd02b8278b2322880995e 100644
--- a/static/js/base.js
+++ b/static/js/base.js
@@ -67,7 +67,7 @@ function displayNote(note, alias, user_note_field=null, profile_pic_field=null)
     if (note !== null && alias !== note.name)
         alias += " (aka. " + note.name + ")";
     if (note !== null && user_note_field !== null)
-        $("#" + user_note_field).text(alias + " : " + pretty_money(note.balance));
+        $("#" + user_note_field).text(alias + (note.balance == null ? "" : (" : " + pretty_money(note.balance))));
     if (profile_pic_field != null)
         $("#" + profile_pic_field).attr('src', img);
 }
@@ -173,6 +173,13 @@ function autoCompleteNote(field_id, alias_matched_id, note_list_id, notes, notes
 
             aliases.results.forEach(function (alias) {
                 let note = alias.note;
+                if (typeof note === "number") {
+                    note = {
+                        id: note,
+                        name: alias.name,
+                        balance: null
+                    };
+                }
                 aliases_matched_html += li(alias_prefix + "_" + alias.id, alias.name);
                 note.alias = alias;
                 notes.push(note);
diff --git a/static/js/consos.js b/static/js/consos.js
index 5f7a314a949cc600ff02b15e14da9a9fdb91de81..1cf24e0758f5d87fbaf16535fe164b9ba4ecd2f8 100644
--- a/static/js/consos.js
+++ b/static/js/consos.js
@@ -154,7 +154,8 @@ function reset() {
     $("#note_list").html("");
     $("#alias_matched").html("");
     $("#consos_list").html("");
-    displayNote(null, "");
+    $("#user_note").text("");
+    $("#profile_pic").attr("src", "/media/pic/default.png");
     refreshHistory();
     refreshBalance();
 }
diff --git a/static/js/transfer.js b/static/js/transfer.js
index a0c2d88ae2bf65e545df8b53b45b1d5f2f0188e8..c615f932bb7f41091fa8d79dc5a720b0cf1d3858 100644
--- a/static/js/transfer.js
+++ b/static/js/transfer.js
@@ -21,6 +21,8 @@ function reset() {
     $("#last_name").val("");
     $("#first_name").val("");
     $("#bank").val("");
+    $("#user_note").val("");
+    $("#profile_pic").attr("src", "/media/pic/default.png");
     refreshBalance();
     refreshHistory();
 }
@@ -30,16 +32,18 @@ $(document).ready(function() {
         "source_alias", "source_note", "user_note", "profile_pic");
     autoCompleteNote("dest_note", "dest_alias_matched", "dest_note_list", dests, dests_notes_display,
         "dest_alias", "dest_note", "user_note", "profile_pic", function() {
-            let last = dests_notes_display[dests_notes_display.length - 1];
-            dests_notes_display.length = 0;
-            dests_notes_display.push(last);
+            if ($("#type_credit").is(":checked") || $("#type_debit").is(":checked")) {
+                let last = dests_notes_display[dests_notes_display.length - 1];
+                dests_notes_display.length = 0;
+                dests_notes_display.push(last);
 
-            last.quantity = 1;
+                last.quantity = 1;
 
-            $.getJSON("/api/user/" + last.note.user + "/", function(user) {
-                $("#last_name").val(user.last_name);
-                $("#first_name").val(user.first_name);
-            });
+                $.getJSON("/api/user/" + last.note.user + "/", function(user) {
+                    $("#last_name").val(user.last_name);
+                    $("#first_name").val(user.first_name);
+                });
+            }
 
             return true;
        });