From b21cd98085fa93f21edffd024564a9884a26bf46 Mon Sep 17 00:00:00 2001
From: Rik Smale <13023439+WikiRik@users.noreply.github.com>
Date: Tue, 24 Sep 2024 18:42:04 +0200
Subject: [PATCH] fix(stats): only use 1 application per user (#794)

Co-authored-by: Rik Smale <git@riksmale.info>
---
 lib/applications.js | 16 +++++++++++++---
 lib/helpers.js      |  2 ++
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/lib/applications.js b/lib/applications.js
index b79049e0..e371fa72 100644
--- a/lib/applications.js
+++ b/lib/applications.js
@@ -370,13 +370,23 @@ exports.getStats = async (req, res) => {
         .countByField(applications, 'event_id')
         .map(({ type, value }) => ({ type: events.find((event) => event.id === type).name, value }));
 
-    // TODO: only use one application per user from here
+    let uniqueApplicationUsersQuery = {
+        ...applicationQuery,
+        attributes: ['user_id', 'body_name', 'nationality', 'event_id'],
+        group: ['user_id', 'body_name', 'nationality', 'event_id'],
+    };
+
+    if (req.query.season) {
+        uniqueApplicationUsersQuery = { ...uniqueApplicationUsersQuery, group: ['user_id', 'body_name', 'nationality', 'event_id', 'event.id'] };
+    }
+
+    const uniqueApplicationUsers = await Application.findAll(uniqueApplicationUsersQuery);
 
     statsObject.by_body = helpers
-        .countByField(applications, 'body_name');
+        .countByField(uniqueApplicationUsers, 'body_name');
 
     statsObject.by_nationality = helpers
-        .countByField(applications, 'nationality');
+        .countByField(uniqueApplicationUsers, 'nationality');
 
     return res.json({
         success: true,
diff --git a/lib/helpers.js b/lib/helpers.js
index aa6fa2f5..8e26d3b9 100644
--- a/lib/helpers.js
+++ b/lib/helpers.js
@@ -251,6 +251,8 @@ exports.getEventPermissions = async ({ permissions, event, user }) => {
             status: 'accepted'
         } });
 
+        // TODO: when is this permission checked? It should be done everytime an application is created or updated
+        // TODO: we've seen duplicate applications and people confirmed for two separate events
         permissions.apply = event.application_status === 'open'
             && event.published === 'covid'
             && permissions.apply_general