Even if the "Admin Area. Allow Customer Impersonation" is disabled for the customer group, the user is able to do impersonation and place order on behalf of other users.
On checking the code, the Impersonate method is decorated with [PermissionAuthorizeAction(PermissionActionName.Edit)] only.
So, effectively, if a user has Customer Edit permission, they can impersonate also. And the StandardPermission.AllowCustomerImpersonation doesn't have any relevance
Even if the "Admin Area. Allow Customer Impersonation" is disabled for the customer group, the user is able to do impersonation and place order on behalf of other users. On checking the code, the Impersonate method is decorated with [PermissionAuthorizeAction(PermissionActionName.Edit)] only.
So, effectively, if a user has Customer Edit permission, they can impersonate also. And the StandardPermission.AllowCustomerImpersonation doesn't have any relevance