Thanks, I modified the original post to reflect this better code 
/config/policies/is-owner.js:
// the content type must have field named "author" that is a relation N-1 to users-permission
module.exports = async (ctx, next) => {
// must be authenticated user
if (!ctx.state.user) {
return ctx.unauthorized(`Forbidden`)
}
const collection = ctx.request.route.controller
if (!strapi.services[collection])
return ctx.unauthorized(`Collection ${collection} not found`)
const [content] = await strapi.services[collection].find({
id: ctx.params.id,
'author.id': ctx.state.user.id
})
if (!content) {
return ctx.unauthorized(`Only the author can do this`)
}
return await next()
}