diff --git a/config.example.toml b/config.example.toml
index 8f9e714..d448962 100644
--- a/config.example.toml
+++ b/config.example.toml
@@ -25,5 +25,7 @@ allow_registration = true
 data_folder = "data"
 
 [levels]
+# max amount of objects in a level
+max_objects = 80_000
 # object ids to block
 blocklist = [ 31 ] # start position
\ No newline at end of file
diff --git a/readme.md b/readme.md
index f474275..80bb215 100644
--- a/readme.md
+++ b/readme.md
@@ -34,16 +34,14 @@ _these features are implemented_
 
 ## todo
 
-- swap to chrono instead of `(TO_CHAR(CURRENT_TIMESTAMP, 'YYYY-MM-DD HH24:MI:SS.MS'))` (thats REALLY ugly!!) this would also make the `28` and `29` parameters work on downloadlevel
+- swap to chrono instead of `(TO_CHAR(CURRENT_TIMESTAMP, 'YYYY-MM-DD HH24:MI:SS.MS'))` (thats REALLY ugly!!) this would also make the `28` (upload) and `29` (update) responses work on downloadlevel and the `4` (recent) on getlevels 
 - 2.2 friends only unlisted
 - add more old endpoints + better support for older versions
 - add dailies, events, weekly
-- add defaults to more parameters
 - better way for checking if song is custom (currently `id > 50`)
 - sqlite would make sense for this
 - unscuff difficulties
 - moderation utilities
 - probably make more things bools in the database
 - ip actions
-- fix downlopading levels
 - better song support
\ No newline at end of file
diff --git a/src/config.rs b/src/config.rs
index 597d744..8af07f6 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -29,6 +29,7 @@ pub struct ConfigDB {
 
 #[derive(Deserialize)]
 pub struct ConfigLevels {
+    pub max_objects: i32,
     pub blocklist: Vec<i32>
 }
 
diff --git a/src/endpoints/levels/get_levels.rs b/src/endpoints/levels/get_levels.rs
index 9c0368e..00602be 100644
--- a/src/endpoints/levels/get_levels.rs
+++ b/src/endpoints/levels/get_levels.rs
@@ -225,11 +225,19 @@ pub fn get_levels(input: Form<FormGetLevels>) -> status::Custom<&'static str> {
 
                         if user_id_val == input.str.parse::<i32>().expect("couldnt convert query input to i32") {
                             can_see_unlisted = true;
+                            query = query.filter(levels::user_id.eq(user_id_val));
+                            count_query = count_query.filter(levels::user_id.eq(user_id_val))
                         } else {
                             return status::Custom(Status::Ok, "-1")
                         }
                     }
                 }
+                if let None = input.local {
+                    let user_id_val = input.str.parse::<i32>().expect("couldnt convert query input to i32");
+
+                    query = query.filter(levels::user_id.eq(user_id_val));
+                    count_query = count_query.filter(levels::user_id.eq(user_id_val))
+                }
             }
             // featured
             // 17 is gdworld
diff --git a/src/endpoints/levels/upload_level.rs b/src/endpoints/levels/upload_level.rs
index 3bacd7a..798d41e 100644
--- a/src/endpoints/levels/upload_level.rs
+++ b/src/endpoints/levels/upload_level.rs
@@ -8,6 +8,7 @@ use base64::{Engine as _, engine::general_purpose};
 
 use std::fs;
 
+use crate::config::CONFIG;
 use crate::helpers;
 use crate::db;
 
@@ -96,6 +97,11 @@ pub fn upload_level(input: Form<FormUploadLevel>) -> status::Custom<&'static str
         return status::Custom(Status::Ok, "-1")
     }
 
+    // too many objects
+    if objects_val > CONFIG.levels.max_objects as usize {
+        return status::Custom(Status::Ok, "-1")
+    }
+
     // forbidden object checking
     if let Some(_forbidden_object) = level_objects.iter().find(|obj| crate::CONFIG.levels.blocklist.contains(&obj.id())) {
         return status::Custom(Status::Ok, "-1")
diff --git a/src/main.rs b/src/main.rs
index 6ca4c01..cd1b439 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -8,8 +8,9 @@ use std::fs;
 use std::path::{Path, PathBuf};
 
 use rocket::fs::NamedFile;
+use rocket::data::{Limits, ToByteUnit};
 
-use rocket_dyn_templates::{ Template };
+use rocket_dyn_templates::Template;
 
 mod db;
 use db::*;
@@ -41,7 +42,8 @@ fn rocket() -> _ {
         // conf
         .configure(rocket::Config::figment()
             .merge(("port", CONFIG.general.port))
-            .merge(("ip_header", CONFIG.general.realip_header.as_str())))
+            .merge(("ip_header", CONFIG.general.realip_header.as_str()))
+            .merge(("limits", Limits::new().limit("forms", 10.megabytes()))))
         // actual website
         .mount("/", routes![
             template_endpoints::index::index