fix: Password validation fires before disabled invites check

[10done]

Thanks for submitting a PR! Please check the boxes below:

• I have read the Contributing Guide.
• I have added information to docs/ if required so people know about the feature.
• I have filled in the "Changes" section below.
• I have filled in the "How did you test this code" section below.

Changes

Fixes #7695
Moved _validate_registration_invite() to execute before super().validate()
in CustomUserCreateSerializer.validate().

Uninvited users should be rejected immediately with 403 before the server
performs any further validation. The previous ordering also had a minor
security implication — it leaked password rule feedback to users who were
not authorised to register at all.

How did you test this code?

• test_register__without_invite_when_disabled__returns_forbidden — passes
  deterministically
• Full custom_auth unit + integration test suite — all passing

[vercel]

@10done is attempting to deploy a commit to the Flagsmith Team on Vercel.

A member of the Team first needs to authorize it.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.39%. Comparing base (cbcac64) to head (77a69fd).
⚠️ Report is 20 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7711      +/-   ##
==========================================
- Coverage   98.52%   98.39%   -0.13%     
==========================================
  Files        1444     1452       +8     
  Lines       54971    55804     +833     
==========================================
+ Hits        54161    54910     +749     
- Misses        810      894      +84     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[matthewelwell]

/gemini review

[gemini-code-assist]

Code Review

This pull request moves the registration invite validation to the beginning of the validate method in api/custom_auth/serializers.py. However, this change exposes a user enumeration vulnerability because Django Rest Framework's field-level validators run before the serializer's validate method. This allows uninvited users to determine if an email is registered based on whether they receive a 400 (email exists) or a 403 (no invite) response. It is recommended to remove the default UniqueValidator and perform the uniqueness check manually after the invite validation.

[khvn26]

I believe this is the correct solution, nice job 👍