Hello Bryan -
Were you able to get this resolved? We're seeing a similar issue after upgrading to version 9.0. When a user logs in directly, they are restricted from modifying pages (as expected). However, when we impersonate a user, instead of getting the 'You’re not authorized to modify the page' message, the impersonated account has the ability to modify pages that they shouldn't have access to. We didn't have this problem in 8.2.