FIX: tag groups page should only be visible to staff

No security concern here because nothing private was visible,
and no actions could be taken by non-staff users.

app/controllers/tag_groups_controller.rb

@@ -1,5 +1,7 @@
 class TagGroupsController < ApplicationController
-  requires_login except: [:index, :show]
+
+  requires_login
+  before_action :ensure_staff
 
   skip_before_action :check_xhr, only: [:index, :show]
   before_action :fetch_tag_group, only: [:show, :update, :destroy]

config/routes.rb

@@ -793,7 +793,7 @@ Discourse::Application.routes.draw do
     end
   end
 
-  resources :tag_groups, except: [:new, :edit] do
+  resources :tag_groups, constraints: StaffConstraint.new, except: [:new, :edit] do
     collection do
       get '/filter/search' => 'tag_groups#search'
     end