Superficial validation on things like form fields still occurs up in the UI layer before a Use Case is invoked. Additional validation is likely to happen in the Use Case as well. It's a ubiquitous thing so just like in any other app it should be happening at a few different points but the stuff validated in the Use Case is going to be related to the business rules it's trying to execute.

My approach has always been to validate anything that crosses a trust boundary. This might be user->app; client->gateway; or app->database.

>My approach has always been to validate anything that crosses a trust boundary.

That's a good approach unless a validation requires a db call with inner join (for example). This becomes too costly to do it 5 times (for example) just to get something written into db.

It remains a good approach, even in your scenario - because that perf problem is solved using a temporal cache.

Caches are an excellent way to introduce path-dependent, time-sensitive bugs.

The safest, most bug-free code is no code at all.

I see it now .....

A interface to define the validation aspect. 3 separate implementations of said interface : 1 for db lookup, 1 for cache lookup and last for unit tests. 1 factory method which return the instance to use depending of context. Another temporal cache that holds the instance of said interface (after all, you can never have enough caches).

And all of a sudden, validating some single shit takes +300 lines of code (plus tests). Welcome to enterprise , clean, better designed, greatly arhitected software everyone....

Why do an interface at all? Is the validation definitely being shared across business functions?

This is a great/simple rule to keep in mind.

Hmm, how do you define "superficial validation"? Form field facultativity (better word?) cross-field consistency, range acceptance, presence of sql escape characters ... they can all be considered superficial, but also core business rule IMHO

"presence of sql escape characters" - isn't a business rule. That's technical.

Range acceptance - could defiantly be a business rule. Cross-field consistency - Could also be a business rule.

I implement these rules both sides. Ideally i don't want an invalid command sent off in the first place. I also don't want badly implemented UI corrupting my business data.

This way i can provide instant feedback to the user, and also protect the data in case the UI is badly implemented.

The main point of these architectures is that you can use them from many user interfaces.

"I implement these rules both sides" ... and the maintenance overhead?

Still easier than having separate domain models.

Adhering to dry in all cases, is not always the best solution. As the software community has discovered over the past years. Especially in relation to microservices.

In my software there's a bit of a disconnect between the application and interactors. As there is a message queue between them.

This is stuff like there is JavaScript regex that checks for an @ character in an email and in the back end code. There is no reason to not do both.

>they can all be considered superficial, but also core business rule IMHO

Business rules does not mean what the business (bosses) dictates that the app should have.

Business rules the rules for the business domain.

Whether you should escape sql (or even use sql) is a technical/application concern, not a business rule.

A business rule would be something like "customers must get 10% discount if they bought more than 100 units" or "no employee should be allowed to have a salary bigger than their manager", etc.

That's the entire point - large organizations are inherently broke. Read the article.

"large organizations are inherently broke" - you don't grow to be a 30BN/YR company by being inherently broke.

Fixed, thanks!

Thanks for the heads up!

Great suggestion, I've noticed it too...thanks!

Thanks a lot for the feedback, I will definitely get that form doing a true POST, note the site is run over SSL so there is transport security.

This is high on the priority list.

Yip, the site right now is AngularJS with a RESTful API powered by ServiceStack (.net web services). It won't take much to expose it publicly.

Thanks for the feedback and I agree 100%, the biggest new features will include integrating with existing fantasy services.