Low: libcrmcommon: avoid use-after-free when enforcing creation ACLs

As detected by static analysis, pcmk__post_process_acl() can free its argument,
yet some callers continued to use the argument afterward.

The existing code apparently tried to get around this by freeing the argument
only if it wasn't the root element of the XML document. However some callers
do pass non-root elements.

The circumstances where the use-after-free could occur seem limited enough
that it hasn't been seen in practice.

This avoids any chance of use-after-free by adding an argument indicating
whether the argument itself should be checked, or just its children (replacing
the root element check). All callers specify just children, except
pcmk__post_process_acl()'s recursive calls for the children.

xml_diff_object() gets a similar argument to pass along to
pcmkpost_process_acl().