a generic way to check the queried model object

api-policies-isOwner.js

module.exports = function(req, res, next) {

  // User is allowed, proceed to the next policy, 
  // or if this is the last policy, the controller
  
  var policyValidator = ModelPolicy(req);

  if (policyValidator.queriedModelCreteria({owner:req.session.user_id}) ) {
    return next();
  }

  // User is not allowed
  res.status(403);
  return res.json({error:'not allowed'});
};

api-services-ModelPolicy.js

var wlFilter = require('waterline-criteria');

function ModelPolicy(req) {
	this.req = req;
}

ModelPolicy.prototype.queriedModelCreteria = function(criteria) {
	var Model = this.req.options.model;
	if(!Model) return true; // if its not a model just continue;

	var model_obj = Model.findOne(this.req.param("id")).then(function(data){
		return data;
	});

	return this.customModelCreteria(model_obj, criteria);
};

ModelPolicy.prototype.customModelCreteria = function(model_obj, criteria) {
	return (wlFilter(model_obj,criteria).results.length > 0);
};

config-policies.js

module.exports.policies = {
  ProductController: {
    '*': true,
    'delete': 'isOwner'
  }

};