It is possible to add and remove permissions to a role even if current_user does not have :edit_role permission. The cause is that filters cannot exist without association to a role but their permissions do not take it into consideration. When filter is created, it is always associated to a role and that role has access to permissions through filter, so even if role record has not been modified, the role itself gained new permissions through associations.

We should turn filters into a proper nested resource that would fully depend on a role.

Steps to reproduce:

1) create a role with the following permissions: :view_roles, :view_filters, :create_filters, :update_filters, :destroy_filters
2) create a new user named Bob, assign him role created in step 1 and then log in as Bob
3) go to Administer -> Roles, then click on 'Filters' button for a role that is not locked, which will show you index of filters and edit buttons in the Action table column