I can reproduce the issue reliably the following way:

• unpack a jetty-hsql instance with flavor preinstalled
• disable the CSRF check for testing ( csrf.enabled = false in xwiki.properties )
• start the instance and install the Ratings Application
• close the wiki for anonymous users
• then from the commandline try: (wget -q -S -O /dev/null --http-user=Admin --http-password=admin --post-data='vote=2&doc=xwiki%3ASandbox.TestPage1' 'http://localhost:8080/xwiki/bin/get/XWiki/Ratings/RatingsUIX?basicauth=1')& (wget -q -S -O /dev/null --http-user=Admin --http-password=admin --post-data='vote=4&doc=xwiki%3ASandbox.TestPage1' 'http://localhost:8080/xwiki/bin/get/XWiki/Ratings/RatingsUIX?basicauth=1')&

I have been able to reproduce the issue for all three sandbox test pages.

Here is a snippet to check for duplicate rating entries:

#set($data = $services.ratings.getCurrentUserRatings(0, 1000, true))
#set ($resultMap = {})
#foreach ($rating in $data)
#set($hash = "${rating.managerId}${rating.reference}") ## note: user is always the same here
#set ($rating2 = $resultMap.get($hash))
#if ($rating2 != $NULL)

• duplicate rating $rating / $rating2
  #else
  #set($discard = $resultMap.put($hash, $rating))
  1. for debugging
  2. * existing rating $rating
     #end
     #end {/code}

Unfortunately I have not found a good way to remove these duplicate entries, except for deleting and restoring the affected page.