It would be great to have an additional setting to block POST requests when impersonating, to allow a "read-only" impersonating mode.
This is an interesting idea. I suppose it could be done easy enough in the middleware. I'll add it to the queue and try to find some time to tackle some of this stuff.