today CugAccessControlManager.getEffectivePolicies(Set<Principal> principals) returns an empty array and has a comment stating that this is not implemented.
having thought this through again, i think there was some benefit in having the implementation. as long as the given set of principal does NOT include everyone the return value should just include the CUG-policies that explicitly list any of principals. IF everyone was part of the set, the return-value basically includes all CUG-policies, because every CUG will deny read-access for everyone except for the principals explicitly listed in the CUG-policy... if we do the latter as lazy as possible it might still be doable even in a scenario, when there are tons of CUG-policies specified.
Alex Deparvu, wdyt? do you want to take care of this?