[SECURITY] Fix unauthorized SOAP access

By having an inverted condition, attackers
could upload arbitrary extensions by only knowing
the username and the extension key.

When knowing a username of a TER admin,
it was also possible to perform TER admin
commands (like deleting extensions) via SOAP
2 jobs for sec-soap in 1 minute and 26 seconds (queued for 2 seconds)