By having an inverted condition, attackers
could upload arbitrary extensions by only knowing
the username and the extension key.

When knowing a username of a TER admin,
it was also possible to perform TER admin
commands (like deleting extensions) via SOAP