fix counts returned to non-staff users in apiv2

[valentijnscholten]

fix #4069

For non-staff users, we have queries where we filter objects based on the authorized_users property of the product or product type:

    def get_queryset(self):
        if not self.request.user.is_staff:
            return self.queryset.filter(
                Q(test__engagement__product__authorized_users__in=[self.request.user]) |
                Q(test__engagement__product__prod_type__authorized_users__in=[self.request.user])
            )
        else:
            return self.queryset

This works OK, but will join a couple of tables and could lead to objects being in the result multiple times. This PR adds .distinct() to resolve this.

There's also one place where we had 2 different queries for the list of findings and the count of that list.

[valentijnscholten]

@StefanFl I didn't change the authorization v2 code, but there we might have a chance of duplicate items in the result as well.

[StefanFl]

If it's save to use distinct() without other side effects then it would make sense to put it in there.

[valentijnscholten]

If it's save to use distinct() without other side effects then it would make sense to put it in there.

it's safe but needed probably because a join creates all possible combinations. side effect is that distinct() might make it slightly slower.

[madchap]

Thanks. Let's try that out.

[damiencarol]

good catch!