Ensure we don't show TODOS for projects pending delete
What does this MR do?
Joins the todos on the projects table in order to run the default scope. Also includes a where clause because the default scope is being removed soon.
Are there points in the code the reviewer needs to double check?
An alternative approach, more like the Issues page, would be to filter down the list by passing user.authorized_projects into the where clause.
Or we could just be more defensive in the view when iterating.
Why was this MR needed?
Todos page throws 500 error for users with todos in a project pending deletion.
What are the relevant issue numbers?
Fixes #17813 (closed)