From c16fc06cb9fd28c21556f83855498985739e41e8 Mon Sep 17 00:00:00 2001
From: Ryan Brandenburg <rybrande@microsoft.com>
Date: Thu, 28 Jul 2016 16:55:08 -0700
Subject: [PATCH] Modify warning about policy behavior (#924)

---
 .../DefaultAuthorizationPolicyProvider.cs                     | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNetCore.Authorization/DefaultAuthorizationPolicyProvider.cs b/src/Microsoft.AspNetCore.Authorization/DefaultAuthorizationPolicyProvider.cs
index 6fb8bd68dc..0e4329dcc0 100644
--- a/src/Microsoft.AspNetCore.Authorization/DefaultAuthorizationPolicyProvider.cs
+++ b/src/Microsoft.AspNetCore.Authorization/DefaultAuthorizationPolicyProvider.cs
@@ -45,7 +45,9 @@ namespace Microsoft.AspNetCore.Authorization
         /// <returns>The named <see cref="AuthorizationPolicy"/>.</returns>
         public virtual Task<AuthorizationPolicy> GetPolicyAsync(string policyName)
         {
-            // MVC relies on DefaultAuthorizationPolicyProvider providing the same policy for the same requests.
+            // MVC caches policies specifically for this class, so this method MUST return the same policy per
+            // policyName for every request or it could allow undesired access. It also must return synchronously.
+            // A change to either of these behaviors would require shipping a patch of MVC as well.
             return Task.FromResult(_options.GetPolicy(policyName));
         }
     }