UpdateUser does not perform password validation

https://redmine.teklia.com/issues/7318

a, b, 123456 or hunter2 are valid passwords that can be sent to UpdateUser and PartialUpdateUser, while this is forbidden by the registration and password reset APIs. validate_password should be called by the UserSerializer when updating the password to prevent this.