Joins the todos on the projects table in order to run the default scope. Also includes a where clause because the default scope is being removed soon.
An alternative approach, more like the Issues page, would be to filter down the list by passing user.authorized_projects into the where clause.
Or we could just be more defensive in the view when iterating.
Todos page throws 500 error for users with todos in a project pending deletion.