Umm - "its not possible to implement this via access rights" - of course it is, it is YOUR CHOICE whether to give users "view all portlets" access right and if your environment has done this then I would suggest that that was the wrong thing to do (ever!).
You cannot limit the visibility of a portlet by "code", the application is deciding whether to display the portlet/page or not (based upon access rights) before any portlet code has run. You can identify the executing user using NSQL constructs ( @WHERE:PARAM:USER_ID@ / @WHERE:PARAM:USER_NAME@ ) so your code could choose to not return any results if the user was not in a specified list or security group, but this is really a poor way of controlling access I think.