diff --git a/app/controllers/reports_controller.rb b/app/controllers/reports_controller.rb
index 230249ff0..49a25946a 100644
--- a/app/controllers/reports_controller.rb
+++ b/app/controllers/reports_controller.rb
@@ -3,6 +3,8 @@
 class ReportsController < ApplicationController
   respond_to :html, :json, :xml
 
+  rate_limit :show, rate: 1.0/3.seconds, burst: 15
+
   def index
   end
 
@@ -75,7 +77,16 @@ class ReportsController < ApplicationController
     @from = params.dig(:search, :from) || 1.month.ago
     @to = params.dig(:search, :to) || Time.zone.now
 
-    @results = @model.search(params[:search], CurrentUser.user).timeseries(period: @period, from: @from, to: @to, columns: @columns)
+    if CurrentUser.user.is_member? && CurrentUser.user.statement_timeout < 10_000
+      @statement_timeout = 10_000
+    else
+      @statement_timeout = CurrentUser.user.statement_timeout
+    end
+
+    ApplicationRecord.set_timeout(@statement_timeout) do
+      @results = @model.search(params[:search], CurrentUser.user).timeseries(period: @period, from: @from, to: @to, columns: @columns)
+    end
+
     respond_with(@results)
   end
 end
diff --git a/app/models/application_record.rb b/app/models/application_record.rb
index baa3cad66..0b5f26ea7 100644
--- a/app/models/application_record.rb
+++ b/app/models/application_record.rb
@@ -134,6 +134,13 @@ class ApplicationRecord < ActiveRecord::Base
 
   concerning :ActiveRecordExtensions do
     class_methods do
+      def set_timeout(n)
+        connection.execute("SET STATEMENT_TIMEOUT = #{n}") unless Rails.env.test?
+        yield
+      ensure
+        connection.execute("SET STATEMENT_TIMEOUT = #{CurrentUser.user.statement_timeout}") unless Rails.env.test?
+      end
+
       def without_timeout
         connection.execute("SET STATEMENT_TIMEOUT = 0") unless Rails.env.test?
         yield