I’m actually concerned that someone might maliciously upload files and fill up my S3 bucket. It would be great if there was a setting to limit the number of uploads or the total file size per user per day.
To directly answer your topic’s title,
Since it’s a theme component, it can be bypassed by users, especially if they can enable the safe mode. That’s a “soft” limitation, sort to speak.
It also doesn’t support groups, but that could be asked as a Feature request 
2 Likes
| Max image size KB | The maximum image upload size. This must be configured in nginx (client_max_body_size) / apache or proxy as well. Images larger than this and smaller than client_max_body_size will be resized to fit on upload. |
| Max attachment size KB | The maximum attachment files upload size. This must be configured in nginx (client_max_body_size) / apache or proxy as well. |
params:
## Which Git revision should this container use? (default: tests-passed)
version: tests-passed
## Maximum upload size (default: 10m)
upload_size: 20m
I want to know if I can limit the number of upload attempts or the total file size per user per day through that method?
I want to block malicious users, you know, but the component you recommended can only block regular users. 
It’s not possible to set such a limitation without creating a custom plugin.
Do you suspect it already happened? Did you notice a sudden increase in uploads used space?
If not, what makes you think such an exploit could happen?
1 Like
Maybe it helps to describe your problem more specifically. Which file extensions are allowed on your forum (Authorized extensions site setting)? By default, only images are allowed. Then requiring approval for posts containing images from users with a low trust level could help (Skip review media groups).
You can also identify such users in the “Top uploads” report in the admin area.
1 Like
There isn’t any at the moment, maybe I’m being too pessimistic. However, as you mentioned, even if it’s a plugin, it can be disabled through safe mode. It seems that the only way to prevent it is through server or S3 bucket settings.
Thank you for your advice. However, if it’s a malicious user, can they disguise other files as image formats? And since there are no restrictions on the number or total size of images, can they still upload images without limit? Also, I still don’t understand whether the files will occupy my S3 bucket if they upload successfully but don’t publish a topic.
Only the front-end functionality of plugins is disabled in safe mode. The backend limitations remain.
You can also disable safe mode for users.
2 Likes
You can imagine thousands of ways of disrupting any software in which you can add data, so I wouldn’t worry about this imaginary problem and focus my attention on other things 
2 Likes
Here’s some documentation regarding that.
3 Likes
You can also try removing trust_level_0 from the Embedded media post allowed groups site setting and adding it to another trust level group. Though I was still able to upload my image, I wasn’t able to post it with my test user.
1 Like
Maybe you’re right. I shouldn’t let too many concerns stop me from taking action.I am a perfectionist, and too many worries always make me easily discouraged.
2 Likes
I think I’ll use this feature, even though I don’t really want to create too many obstacles for normal users. I just don’t want to be played with or taken advantage of by a very small number of evil users.
If I understand correctly, it works as I thought: the upload will occupy space in the S3 bucket, which really worries me. While there is an automatic cleanup feature that works well under normal circumstances, malicious users can easily bypass posting restrictions and keep uploading files.
Regarding safe-mode.