Total result count doesn't respect RM role

Steps to reproduce

1. Create a category, folder and record.
2. Create a new user Bob (not an RM user) and add them to the category with read only permission.
3. Search for the record using Bob.

Expected

4. The total count should be 0 (i.e. "0 results found")

Actual

4. The total count is 1 (i.e. "1 - results found").

Notes

This happens because the RM role filtering is done in AGS (see RMAfterInvocationProvider.decide). In this specific case (the filtered result is on the current page of results) it would be possible to workaround this issue and update the count in AGS, however this will not work if the filtered record was on another page of the results.

There are several ways this could be fixed by filtering in Solr instead (see a more detailed discussion here):

• Prevent users from having read or write permissions on a category without also having the read records capability.

• Use a new user group (and ACLs) for the read records capability.

• Use a query filter (as is done for security marks).

This issue also affects the SQL endpoint (although it's currently not observable due to other issues - see SEARCH-1271, ).