raise overall content body size, routes will implement stricter limits

app/__init__.py

@@ -123,7 +123,7 @@ def create_app():
     app.config["SECRET_KEY"] = os.getenv("FLASK_SECRET_KEY")
 
     app.config['AVATAR_UPLOAD_PATH'] = 'data/static/avatars/'
-    app.config['MAX_CONTENT_LENGTH'] = 1000 * 1000
+    app.config['MAX_CONTENT_LENGTH'] = 3 * 1000 * 1000 # 3M total, subject to further limits per route
 
     os.makedirs(os.path.dirname(app.config["DB_PATH"]), exist_ok = True)
 

app/routes/users.py

@@ -20,6 +20,8 @@ import time
 import re
 import os
 
+AVATAR_MAX_SIZE = 1000 * 1000
+
 bp = Blueprint("users", __name__, url_prefix = "/users/")
 
 
@@ -451,6 +453,14 @@ def set_avatar(username):
         flash('Avatar missing.', InfoboxKind.ERROR)
         return redirect(url_for('.settings', username=user.username))
 
+    file.seek(0, os.SEEK_END)
+    file_size = file.tell()
+    file.seek(0, os.SEEK_SET)
+
+    if file_size > AVATAR_MAX_SIZE:
+        flash('Avatar image is over 1MB.', InfoboxKind.ERROR)
+        return redirect(url_for('.settings', username=user.username))
+
     file_bytes = file.read()
 
     now = int(time.time())

app/templates/users/settings.html

@@ -15,7 +15,7 @@
           <input type='submit' value='Save avatar' {{ 'disabled' if disable_avatar else '' }}>
           <input type='submit' value='Clear avatar' formaction='{{ url_for('users.clear_avatar', username=active_user.username) }}' formnovalidate {{ 'disabled' if active_user.is_default_avatar() else '' }}>
         </div>
-        <span>1MB maximum size. Avatar will be scaled down to fit a square.</span>
+        <span>1MB maximum size. Avatar will be cropped to square.</span>
       </form>
     </fieldset>
     <fieldset class="hfc">