diff --git a/aai/migrations/0003_alter_perms_options.py b/aai/migrations/0003_alter_perms_options.py
new file mode 100644
index 0000000000000000000000000000000000000000..ed2aba6ef35770c08cb9562cde3356f1f8bbe4cb
--- /dev/null
+++ b/aai/migrations/0003_alter_perms_options.py
@@ -0,0 +1,17 @@
+# Generated by Django 3.2.24 on 2024-05-29 16:54
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('aai', '0002_alter_perms_options'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='perms',
+            options={'default_permissions': (), 'permissions': [('update_exercise', 'Can access instructor tools for exercise manipulation'), ('view_exercise', 'Can view exercise and their info'), ('update_definition', 'Can add/delete/change definition'), ('view_definition', 'Can view definition'), ('view_category', 'Can view inject categories'), ('view_milestone', 'Can view milestones'), ('use_tool', 'Can use tool of the exercise'), ('send_injectselection', 'Can pick and send inject selection'), ('send_email', 'Can send email and execute email related operations'), ('view_trainee_info', 'Can view exercise info intedned to trainees (roles, tools...)'), ('view_extendtool', 'Can view extend tool (with responses)'), ('view_injectselection', 'Can view inject selecion options'), ('view_email_info', 'Can view info related to emails (contacts, addresses...)'), ('view_email', 'Can view email bodies and threads'), ('view_analytics', 'Can view data needed for analytics dashboard'), ('update_userassignment', 'Can (un)assign user to exercise or team'), ('view_user', 'Can view users in database'), ('manipulate_file', 'Can upload and download files during exercise'), ('update_user', 'Can add/remove/change user'), ('delete_user', 'Can delete user'), ('export_import', 'Can export and import database')]},
+        ),
+    ]
diff --git a/common_lib/schema_types.py b/common_lib/schema_types.py
index 2c49f9570dc3a309526a76fcee58398fda56c963..fa0626986c40f3b824075dcb4fa5776a4d926893 100644
--- a/common_lib/schema_types.py
+++ b/common_lib/schema_types.py
@@ -1,6 +1,7 @@
 import graphene
 from django.db import models
 from graphene_django import DjangoObjectType
+from django.conf import settings
 
 from aai.models import UserGroup
 from exercise.models import (
@@ -50,7 +51,7 @@ from user.models import User, Tag, Group
 class RestrictedUser(DjangoObjectType):
     class Meta:
         model = User
-        exclude = ("definitions", "exercises", "teams")
+        exclude = ("definitions", "exercises", "teams", "password")
 
 
 class RestrictedExercise(DjangoObjectType):
@@ -107,6 +108,10 @@ class ExerciseType(DjangoObjectType):
     user_set = graphene.List(RestrictedUser)
 
     def resolve_user_set(self, info):
+        if settings.NOAUTH:
+            pass
+        elif info.context.user.group == UserGroup.TRAINEE:
+            return User.objects.none()
         return self.user_set.all()
 
 
@@ -117,6 +122,10 @@ class TeamType(DjangoObjectType):
     user_set = graphene.List(RestrictedUser)
 
     def resolve_user_set(self, info):
+        if settings.NOAUTH:
+            pass
+        elif info.context.user.group == UserGroup.TRAINEE:
+            return User.objects.none()
         return self.user_set.all()
 
 
@@ -169,7 +178,7 @@ class QuestionType(DjangoObjectType):
     def resolve_correct(self, info):
         user = info.context.user
         # very weird, but this should probably be resilient to AAI being turned off
-        if user.is_anonymous:
+        if settings.NOAUTH:
             return self.correct
 
         if user.group == UserGroup.TRAINEE:
diff --git a/rolling-changelog.txt b/rolling-changelog.txt
index 14acedad58a0fd1d6a7374065092ee7703845a12..d176bcfa4dc640763581dde33eb99fbcf6163e28 100644
--- a/rolling-changelog.txt
+++ b/rolling-changelog.txt
@@ -43,3 +43,4 @@ feat: addition of INJECT_SECRET_KEY env variable #141
 change: set csrf cookie for `/version` endpoint
 feat: endpoint for re-generation of user login credentials #202
 feat: add endpoint for user deletion - accessible only to admin #199
+fix: user_set resolvers are dependant on the user.group in schema_types #204
diff --git a/user/email/email_sender.py b/user/email/email_sender.py
index 21b5c5c78cec85c357a14dee1757c79acb217478..fe04bf0f3cc248547a27df5c0205e3ce5264c877 100644
--- a/user/email/email_sender.py
+++ b/user/email/email_sender.py
@@ -31,6 +31,9 @@ def send_credentials(new_users: List[Tuple[User, str]]):
         msg_image = MIMEImage(fp.read())
         fp.close()
         msg_image.add_header("Content-ID", "<logo-image>")
+        msg_image.add_header(
+            "Content-Disposition", "attachment; filename=inject-logo.png"
+        )
         message.mixed_subtype = "related"
         message.attach(msg_image)