Ensure we don't show TODOS for projects pending delete
## What does this MR do?
Joins the todos on the projects table in order to run the default scope. Also includes a where clause because the default scope is being removed soon.
## Are there points in the code the reviewer needs to double check?
An alternative approach, more like the Issues page, would be to filter down the list by passing user.authorized_projects into the where clause.
Or we could just be more defensive in the view when iterating.
## Why was this MR needed?
Todos page throws 500 error for users with todos in a project pending deletion.
## What are the relevant issue numbers?
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/17813
cc\ @stanhu
See merge request !4300
