diff --git a/application/Espo/Controllers/Admin.php b/application/Espo/Controllers/Admin.php
index 82cb02aa81..b047273e59 100644
--- a/application/Espo/Controllers/Admin.php
+++ b/application/Espo/Controllers/Admin.php
@@ -101,16 +101,7 @@ class Admin
      */
     public function postActionUploadUpgradePackage(Request $request): object
     {
-        if (
-            $this->config->get('restrictedMode') &&
-            !$this->user->isSuperAdmin()
-        ) {
-            throw new Forbidden();
-        }
-
-        if ($this->config->get('adminUpgradeDisabled')) {
-            throw new Forbidden("Disabled with 'adminUpgradeDisabled' parameter.");
-        }
+        $this->assertUpgradeAllowed();
 
         $data = $request->getBodyContents();
 
@@ -137,12 +128,7 @@ class Admin
     {
         $data = $request->getParsedBody();
 
-        if (
-            $this->config->get('restrictedMode') &&
-            !$this->user->isSuperAdmin()
-        ) {
-            throw new Forbidden();
-        }
+        $this->assertUpgradeAllowed();
 
         $upgradeManager = new UpgradeManager($this->container);
 
@@ -190,4 +176,18 @@ class Admin
 
         return (object) $this->systemRequirements->getAllRequiredList();
     }
+
+    /**
+     * @throws Forbidden
+     */
+    private function assertUpgradeAllowed(): void
+    {
+        if ($this->config->get('restrictedMode')) {
+            throw new Forbidden("Not allowed in restricted mode.");
+        }
+
+        if ($this->config->get('adminUpgradeDisabled')) {
+            throw new Forbidden("Disabled with 'adminUpgradeDisabled' parameter.");
+        }
+    }
 }
diff --git a/application/Espo/Controllers/Extension.php b/application/Espo/Controllers/Extension.php
index 7b980142d6..570999f7f7 100644
--- a/application/Espo/Controllers/Extension.php
+++ b/application/Espo/Controllers/Extension.php
@@ -53,13 +53,7 @@ class Extension extends RecordBase
      */
     public function postActionUpload(Request $request): stdClass
     {
-        if ($this->config->get('restrictedMode') && !$this->user->isSuperAdmin()) {
-            throw new Forbidden();
-        }
-
-        if ($this->config->get('adminUpgradeDisabled')) {
-            throw new Forbidden("Disabled with 'adminUpgradeDisabled' parameter.");
-        }
+        $this->assertUpgradeAllowed();
 
         $body = $request->getBodyContents();
 
@@ -127,9 +121,7 @@ class Extension extends RecordBase
     {
         $params = $request->getRouteParams();
 
-        if ($this->config->get('restrictedMode') && !$this->user->isSuperAdmin()) {
-            throw new Forbidden();
-        }
+        $this->assertUpgradeAllowed();
 
         $manager = $this->createManager();
 
@@ -152,4 +144,18 @@ class Extension extends RecordBase
     {
         return $this->injectableFactory->create(ExtensionManager::class);
     }
+
+    /**
+     * @throws Forbidden
+     */
+    private function assertUpgradeAllowed(): void
+    {
+        if ($this->config->get('restrictedMode')) {
+            throw new Forbidden("Not allowed in restricted mode.");
+        }
+
+        if ($this->config->get('adminUpgradeDisabled')) {
+            throw new Forbidden("Disabled with 'adminUpgradeDisabled' parameter.");
+        }
+    }
 }