[SECURITY] Fix unauthorized SOAP access

By having an inverted condition, attackers
could upload arbitrary extensions by only knowing
the username and the extension key.

When knowing a username of a TER admin,
it was also possible to perform TER admin
commands (like deleting extensions) via SOAP
2 jobs for sec-soap in 1 minute and 26 seconds (queued for 2 seconds)
Status Name Job ID Coverage
  Build
passed build #3666

00:00:25

 
  Layout
passed layout #3667

00:01:01