A user has self read rights on the user object. On the memberships returned the user cannot query the roles that are in the membership.
I'd like to propose a change that would allow an authenticated user to get the role objects of which he is member.
This is userful in a scenario where roles contain useful attributes for external applications.
The proposed change is limited to the role itelf and not its parents since this might divulge too much information.
I've created a patch for the rolecontrolle. Maybe the additional method could be moved to the entitlementutil class but it has nothing to do with the entitlements themselves and shouldn't be mixed I guess.