When querying an order, the accountingCategory field is returned to all parties, including the contributing side. Accounting categories are chosen by host admins for their own bookkeeping. As a contributor, I see a categorization on my contribution that I didn't pick and that isn't relevant to me. This is more of a UX/consistency issue than a security concern: the data isn't sensitive, but it's confusing to surface internal host accounting details to someone who has no context for them and no ability to change them.

The accountingCategory resolver on the Order type (server/graphql/v2/object/Order.js:348) has no permission scoping, and the AccountingCategory type itself doesn't gate any fields. We should restrict visibility to host admins (and possibly collective admins depending on the category's appliesTo / hostOnly settings).

In the future, the contributing side should be able to set their own accounting categories, parallel to the receiving side.