Can entity validation rules be bypassed?

This has been discussed a lot, as well as just here in the office. We did not agree on microflow validations (versus entity validation), as the argument was that only through microflow validation flows all business rules can be met, no matter the approach. Specifically in context of 'hackers' which can bypass the front-end environment and thus entity validation was not met. Now entity validation is on database level, assuming the entity is persistable. Can this validation be or not be bypassed? And thus, assuming validation requires no specific logic, should entity or microflow validation be used as best practise?
4 answers

Entity validation cannot be bypassed (assuming there's no platform bug).

As this is a hard restriction with limited capabilities I find it usefull only in a few cases. Very often there is one situation where a non-empty-validated attribute still MAY be empty,

Microflow validation on the other hand is (as all should know) not save in all cases, as you can just commit from the client API.

One way to handle more complex critical validation is using BeforeCommit events and prevent the commit on validation errors - a client side commit will always trigger these events.


As this is a quite complex topic there's no definite answer here though.

regards, Fabian


Hi Sander,

Validation should be layered to cover all circumstances and eventualities. Basic validation can be done in the entity itself while, as you wrote, business rule validation will be done in microflows. Going the extra mile and pull through with a layered access and validation control is worth it. I tend to use microflow validation alot, most of the time because I can use parameters for a more defined user feedback :)

Here is what Mendix has to say about it:

Basically they also explain Attribute access first and then go into depth for special needs



As an addition I'd like to mention that it is possible to apply entity access to microflows (but it is easy to forget and later wonder why something works or does not work ;) ) However, this does not directly influence the attribute validation.



I'm not sure if this is still valid but I ran into an issue with auto committed objects not triggering the database validation. I had a form with a lot of entities on it and I forgot to commit one of them, but the object was still committed and would bypass all entity validation. 


I usually use database validation on a couple attributes that should absolutely never be empty or be set a certain way and then microflow validation for validating associations and more complex things. Its just an added layer in case someone new to the project forgets to use the validation microflow.


In case you want to prevent data corruption, entity validation makes sense in my opinion. This really prevents that the wrong values enter your database, either from the front-end or a backdoor.

However, microflow/nanoflow validation is much more flexible/user-friendly and therefore has my preference for all other cases.