By having an inverted condition, attackers could upload arbitrary extensions by only knowing the username and the extension key.
When knowing a username of a TER admin, it was also possible to perform TER admin commands (like deleting extensions) via SOAP